This is hardly a surprise. Google tried updating every Android phone on the planet to fix a vulnerability that let hackers take over devices with a single text message. Now, security researchers say that the patch itself is vulnerable. Talk about stage fright!
The original vulnerability is called Stagefright. Get it? And now it’s afraid to work? This fairly scary weakness would allow hackers to embed malware in videos that could be sent to an Android device and, thanks to an Android feature, would automatically play when the user opened the Hangouts app. Since the flaw affected the operating system itself, up to a billion devices were in danger, prompting Google to release the “biggest software update the world has ever seen.”
But even fixes can have flaws. Exodus Intelligence now reports that they’ve been able to bypass the patch and can still exploit the Stagefright flaw. The security company says that Google’s fix is giving people a “false sense of security”. For it’s part, Google says that 90 per cent of Android users are safe thanks to a security feature called address space layout randomisation (ASLR) that makes it more difficult for hackers to mount the attack.
One could argue that Google itself is peddling a false sense of security by making people think that Android could ever be secure. While some have given Google the benefit of the doubt that the many disparate versions of the open source operating could remain secure with everyone from manufacturers to carriers tweaking the code, many seem to agree that Android’s security problems are just getting worse. That’s a thought exercise for another day, however. In the meantime, just stop using Hangouts. [BBC]
Image via Flickr / JD Hancock