It’s been 10 days since Zimperium’s Joshua Drake revealed a new Android vulnerability called Stagefright – and Android is just starting to recover. The bug allows an attacker to remotely execute code through a phony multimedia text message, in many cases without the user even seeing the message itself. Google has had months to write a patch and already had one ready when the bug was announced, but as expected, getting the patch through manufacturers and carriers was complicated and difficult.
But then, something unexpected happened: the much-maligned Android update system started to work. Samsung, HTC, LG, Sony and Android One have already announced pending patches for the bug, along with a device-specific patch for the Alcatel Idol 3. In Samsung’s case, the shift has kicked off an aggressive new security policy that will deploy patches month by month, an example that’s expected to inspire other manufacturers to follow suit. Stagefright seems to have scared manufacturers and carriers into action, and as it turns out, this fragmented ecosystem still has lots of ways to protect itself.
Seeing is believing, but the signs are at least somewhat positive. I doubt all of these will get the fix, though.
That being said, as the linked article explains, this bug really isn’t as worrisome as people made it out to be. Security researchers (often working for companies selling security software) have cried wolf so many times I really don’t take any of them seriously at this point, no matter which operating system’s users they are trying to scare into buying their crap.