Openness is Android’s greatest strength — a flexibility that has enabled it to spread to now power four of every five smartphones on the planet.
But openness can be, at times, its greatest weakness. This frailty was demonstrated on Monday when Joshua Drake, a researcher with security firm Zimperium, revealed a hole in Android’s source code that hackers can exploit with profound ease: If they have a phone’s number, all they do is send a text. The bug, dubbed “Stagefright,” houses the “the worst Android vulnerabilities discovered to date,” the company wrote.
It’s a particularly malicious hack because it can compromise the device quietly, unbeknownst to its owner. And for Google, fixing it largely falls outside its control.
“This is a Heartbleed for mobile,” said Chris Wysopal, the CTO of Veracode, referencing the formidable security bug that surfaced last year. “It’s sort of the Holy Grail of attacks on phones, where there’s no user interaction.”
Google confirmed the flaw’s existence, and said it has notified its hardware and telecom partners. It does not appear that any Android devices have suffered the hack as of yet.
“We thank Joshua Drake for his contributions,” a Google spokeswoman said in a statement. “The security of Android users is extremely important to us and so we responded quickly, and patches have already been provided to partners that can be applied to any device.”
It’s those multitudinous partners that leave Android particularly vulnerable. Unlike Apple, Android pushes out its updates to device manufacturers, who are then obliged to implement them. Apple has faced similar vulnerabilities in the past, but has staved them off recently through its tighter grip on the OS, said Wysopal.
While Android has attempted to exert more control on the hardware in recent years, it still must manage many moving parts at once. Security flaws, like Stagefright, are particularly frustrating for Google, since it needs to rely on partnering telcos and handset-makers, who are often slower on the uptake.
Drake, the researcher, wrote that the Stagefright bug affects Android versions 2.2 and above. Other security analysts suggest that iterations older than Jelly Bean version 4.2, which typically run on low-end Android devices, are more vulnerable since they lack much of the security infrastructure built into the later versions.
Wysopal suggested that Google may need to deploy a blanket solution. The time it may take to patch such a bug, he said, leaves a window for hackers to seize the hole. “The hardware manufacturers and the carriers have been really slow, and not nearly as quick as Google has been,” he said.
Google’s responsiveness is part of a broader move to bolster the security credentials within Android, particularly with its “sandbox” application — software meant to isolate the code and data in individual apps from one another. “Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult,” the company added in its statement.
HTC sent the following statement to NPR: “Google informed HTC of the issue and provided the necessary patches, which HTC began rolling into projects in early July. All projects going forward contain the required fix.” T-Mobile told Re/code it is working with phone makers to fix the bug as well.
We reached out to the other major carriers and large Android manufacturers, Samsung and Motorola, and will update if they respond.
Drake plans to unveil his full research on Stagefright at the Black Hat USA conference in August.
Update: Verizon echoed the statement from T-Mobile. A rep for Motorola sends word that Google informed them of the bug in June, and that it has integrated the corrective patch in many recent Lollipop (the most recent Android) upgrades and will extend it to all ASAP.
Also, Google, for its part, is playing even more defense. It put out this statement late Monday eve:
As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we’ll be releasing it in open source when the details are made public by the researcher at Black Hat.
And if you care to get really deep in the weeds, Adrian Ludwig, Android’s chief security engineer put out a lengthy Google+ statement. Without naming Stagefright outright, he clearly hints that the buzz around the bug is alarmist. “[T]he research community today,” Ludwig wrote, “is incentivized to find lots of bugs rather than to test exploit mitigation technologies, so it can be difficult to know if exploitation of bugs is actually possible.”
This article originally appeared on Recode.net.