Google releases Stagefright megabug patch for phones

LONDON: Google and Samsung will release new security updates for Android phones every month, in an attempt to prevent the platform from falling behind in fight against malware.

The two companies’ announcements come in the wake of an embarrassing bug in Android’s media handling framework, called Stagefright, which had been dubbed “Heartbleed for mobile” after the desktop virus of that name. Despite being warned about Stagefright in April, the vast majority of Android phones were weak to the vulnerability when security researcher Joshua Drake went public with it 90 days later.

Alongside the new frequent security updates, Google has finally released a patch for Stagefright for its own Nexus line of phones, which it sells directly to customers. The company argues that the majority of users weren’t at risk, however, with application sandboxing limiting the amount of damage an attacker could do.

Adrian Ludwig, lead engineer for Android Security, said, “From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device, via the Google Store.”

Samsung partially matched Google’s offering, confirming that users of the company’s mobile phones would receive their own security updates once a month. Dong Jin Koh, Samsung’s Head of mobile research, said, “With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a timelier manner. Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected.

“We believe that this new process will vastly improve the security of our devices, and will aim to provide the best mobile experience possible for our users.”

Samsung has not, however, matched Google’s promise to patch devices for at least three years from release.

Following Google’s announcement, the most popular Android are, or will be, fixed this month. The company confirmed fixes for the HTC One M7, One M8, One M9, LG Electronics G2, G3, G4 and Sony Xperia Z2, Xperia Z3, Xperia Z4, and Xperia Z3 Compact.