Flaw Identified in the New Android Patch

stagefrightAndroid recently provided mobile users with a patch intended to repair a security hole within the operating system called Stage Fright but now, a flaw in that fix has been discovered. Just last month, as many as one billion Android phones were at risk because of vulnerability. Software researchers made that information known to the public.

Last April, Zimperium, another top security company, identified a bug in Android devices that would allow hackers to gain access to data as well as applications on a user’s phone simply by sending the device a video message. This information was provided to Google. In response, Zimperium developed a patch that Google made available to manufacturers of Android phones.

Details of the bug went public last month after the patch had been deployed in the latest Android version. Google stated there were no reports of anyone using the bug for exploitation purposes. Unfortunately, that patch was bypassed by Jordan Gruskovnjak, a researcher with Exodus Intelligence. In a company blog, Exodus stated that most Android users believe they have protection with the latest patch, which is not the case.

According to a statement to the BBC from Google, the majority of Android users have protection thanks to a new security feature known as Address Space Layout Randomization or ASLR. Of all Android devices being used, more than 90% are ASLR enabled.

Because ASLR creates more guesswork, it is supposed to make it more difficult for hackers to plot a breach. Without ASLR, there is a higher risk of the phone actually crashing opposed to being compromised. Unfortunately, this vulnerability is still an issue.

As explained by David Baker, security officer for the computing firm Okta, an early warning sign to a much bigger problem is Stage Fright. Because there is such a large number of device makers who are doing software modifications, no one comprehensive update solution has been developed for Android users.

Software updates to devices are the responsibility of each phone manufacturer. Because Android is an open source operating system, it can be modified by phone makers to use on their own handsets although not all manufacturers take this route.

Some prefer to use versions of Android that are customized, which takes time whenever security changes are made. For that reason, just 2.6% of Android phones are actually operating on the latest version of the open source operating system.

As stated in the Exodus blog, the big issue is that Google has been aware of this flaw for over four months and yet no fix has yet been provided. The flawed patch consists of four lines of code. Presumably, engineers with Google reviewed it prior to it being shipped. At this time, Google cannot show that it is capable of creating a successful remedy, which leads to major concerns for everyone.