Industry News Mobile & Gadgets

Critical Android security patches released – but will your phone ever see them?

Google has released new security patches for its Android operating system this week, tackling a wide array of vulnerabilities that could be exploited by malicious attackers.

The most critical of the patched vulnerabilities address security flaws in its troubled Mediaserver component, that could be exploited by a malicious hacker to execute code remotely on targeted devices.

In recent years, Mediaserver has often been seen as a weakspot in Android as flaws have been found in the way that Android handles multimedia content (images and video files).

A typical attack scenario might see a remote attacker attempting to infect your Android smartphone with malware, simply by tricking you into opening an email, opening an MMS or browsing a website containing a boobytrapped media file.

What may surprise some users is that an attack can even happen while you’re tucked up in bed, dreaming of Sundar Pichai, as your smartphone may process a boobytrapped file – sent via a messaging app – while you sleep.

According to the Android security bulletin, exploitation of the security vulnerabilities is “made more difficult by enhancements in newer versions of the Android platform.”

For this reason, Google encourages all users to “update to the latest version of Android where possible.”

Wise words, and ones I agree with. But the problem remains that many Android users find it impossible to update their devices.

As we described earlier this year, the problem of unpatched devices is more acute on Android than it is on Apple iOS, because iPhone and iPad users find it far easier to access and install the latest security patches.

With an Android device, whether you will ever receive a security update or operating system upgrade depends on Google, your smartphone’s manufacturer, and your carrier all acting in co-operation. This is the fundamental reason why so many devices are still running out-of-date versions of Android.

If you buy a phone that Google itself has manufactured then things are likely to run smoother, of course. But many consumers have chosen cheaper Android devices – and find themselves left behind with an out-of-date, vulnerable operating system on their phone or tablet.

Even Google smartphone owners can’t necessarily feel confident that they will always receive patches. Just last week Google revealed that its Nexus 6 and Nexus 9 devices, released in November 2014, would no longer be “guaranteed” to receive security updates after October 2017. A similar fate will befall newer Pixel and Pixel XL devices in October 2019.

Their only solace is that Google says it has received no reports of any of these vulnerabilities being actively exploited in the wild, although – of course – often criminals only start to experiment with a flaw when details of the problem become public.

Let’s hope that manufacturers and service providers work closely and quickly together to ensure that over-the-air patches are issued in a timely fashion, and that we do not see a repeat of the all too common appearance where many Android owners are treated poorly and no officially-sanctioned security updates are made available to them – regardless of whether they are keen to update their devices or not.

For more information on the latest Android security issues, be sure to read the official bulletin. Warning: it’s a long list, you’re likely to be scrolling for quite a while.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

4 Comments

Click here to post a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  • "Their only solace is that Google says it has received no reports of any of these vulnerabilities being actively exploited in the wild, although – of course – often criminals only start to experiment with a flaw when details of the problem become public."

    . . . this should help then . . . LOL! ;)

  • Where are the class action lawyers? They seem so quick to go for low hanging fruit. Google, the phone manufacturers and the phone carriers should be held accountable for being so greedy and careless with Android users safety.

    • Well, I suppose the lawyers act when a customer ask (and pay) them. Maybe Android users are busy playing games or taking selfies instead of reading security news about how easily their data can be stolen ;). I really don't understand how is this possible in 2017, with the most popular mobile OS. If this would happen with Microsoft, there would be a million infuriated people and news sites talking about it. Somehow, Google, hiding behind the manufacturers, is allowed to left users in the wild after a couple of years of buying a phone

  • I know people with Lenovo tablets and Huawei phones that have never had an update in over 3 years of use. No wonder there are so many devices running old versions of software.

    It's only because the firmware is usually customised that this happens, as it's up to the manufacturer to take the new releases and add their own bits and bobs before sending it out.

    If it were possible (It may be but who knows) to simply install newer versions of the stock software that would be ideal, but I suppose it would be hard to guarantee complete functionality of all components of the device. Bit of a catch 22 then.

    It really ought to be down to Google to push these manufacturers into updating the firmware though or lose their license.