It's turning out to be a disastrous week for Android.
A few days ago, we learned about Stagefright, a vulnerability in practically all Android devices that can be exploited with a simple text message. All someone has to do is get a person's phone number and send a certain type of message in order to take over the device. The affected user doesn't even need to open the message. Receiving it does the trick.
After that, Stagefright essentially gives the attacker control over the victim's Android device.
"Attackers only need your mobile number, using which they can remotely execute code via a specially crafted media file delivered via MMS," the security firm Zimperium Mobile Security, which discovered the flaw, said on its website. "A fully weaponized successful attack could even delete the message before you see it. You will only see the notification. These vulnerabilities are extremely dangerous because they do not require that the victim take any action to be exploited."
So far there have not been any solid reports of people affected by Stagefright, but the fact that the vulnerability affects a large majority of smartphone users around the world is reason enough to be worried. Stagefright can attack phones running Android version 2.2 and higher, making an estimated 950 million devices vulnerable, Zimperium warns. Google denies that many devices are affected. It says 90% of Android phones have a protection against Stagefright.
But it's easy to remain skeptical of Google's claim that most devices are safe since the company and its partners are scrambling to fix Stagefright and assure some users frequent security updates are coming to Android.
On Wednesday, Google, wireless carriers, and phone makers announced major moves to protect users against Stagefright and future vulnerabilities. In a strange way, Stagefright has been a good thing. It has finally mobilized the fragmented system of Android developers, device manufacturers, and carrier partners to take a unified stance and start working together.
Deutsche Telekom, the German wireless carrier, announced that it would be shutting off its multimedia messaging service (MMS) to protect users from Stagefright. Google will start issuing monthly security updates to its Nexus line of Android devices moving forward as a way to protect users from future bugs. Samsung will also release monthly security updates for select devices. AT&T and Sprint will help push Samsung's security updates. It's unclear how other carriers will help out, but Samsung will need their support too.
In statements to Tech Insider, LG, Motorola, and HTC all made promises to fix the Stagefright bug and ensure that future devices would not be affected.
But it will not be enough. Android is the world's largest operating system, but it is run by a wild network of players. Google has little to no control over Android. If a vulnerability affects Android's massive user base, Google has to wrangle literally hundreds of players together to fix the problem. It's an impossible task.
Wednesday's moves are great for many users, but hundreds of millions of Android users will remain vulnerable to Stagefright and/or whatever the next Android security flaw is. The promises we have from manufacturers and Google to update devices apply only to certain flagship phones or phones that were recently released. It's unclear whether and when older and cheaper Android devices, which make up most of the Android ecosystem, will be updated or get the monthly security updates promised to some users on Wednesday.
It also highlights the biggest problem with Android: fragmentation.
Android is an open-source operating system, meaning anyone can take the software and put it on his or her phone or tablet. Most manufacturers change Android by adding their own designs, apps, and other special features. But because each manufacturer's version of Android is slightly different, most devices don't get new software updates as soon as they're available.
That's particularly bad when someone discovers a security vulnerability in Android. It's a major challenge to make sure all users get software updates to fix it.
Android isn't the only mobile platform that is vulnerable to attacks. In a separate event in May, for example, a string of characters texted to Apple devices would cause the Messages app to crash. But we learned the benefit of owning an Apple device when that flaw was discovered. Apple was able to push out a fix to all of its devices because they are all running the same software.
The problem we're seeing with Android now is that with so many different devices on so many different carriers running so many variations of Android, it's nearly impossible to make sure most users are safe. Google and its partners made a good first step by promising monthly security updates for some devices, but it's not even close to good enough.
On February 28, Axel Springer, Business Insider's parent company, joined 31 other media groups and filed a $2.3 billion suit against Google in Dutch court, alleging losses suffered due to the company's advertising practices.
