I’m sure that most of us dislike unsolicited phone calls from sales people or marketing agencies, they are a nuisance but not harmful. However, 95 percent of Android phone owners now also have to worry about unsolicited picture messages—or, more specifically, unsolicited picture messages containing malware. This is thanks to an exploit in the Android Stagefright software that processes video, such that if an Android phone receives a multi-media message containing the malware, your phone will be hijacked and data stolen before you hear the “text received” notification.
The Issue with Android Updates
Researchers from Zimporium notified Google of this security issue last April and, as responsible security researchers, they also provided the patches to fix the issue. Google accepted the patches and updated their Android software. You might think that the story ends here, however there is still a huge problem when it comes to patching all the Android phones around the globe.
Whereas Apple is solely responsible for patching iPhones, because they own the hardware and software, Google is not solely responsible for patching Android phones. Android phone owners are instead dependent on a combination of their phone manufacturer and their mobile carrier to provide security patches—with third-party delay caused by them having to take the new software from Google and then certifying it against their phone hardware. This typically takes several months during which their customers’ phones remain unpatched and susceptible to the malware.
So What Can Android Phone Owners Do?
In light of malware threats such as this, the best that all Android phone owners can do is:
- To be proactive and aware of malware, checking websites such as Android Central for the latest threats and safeguards.
- To update their phone to the latest Android version immediately via the phone manufacturer or mobile carrier.
- If the manufacturer or carrier is slow to provide a fix for a known exploit, they should complain to them and even consider changing their phone.
- For older Android phones, the inability to patch the exploit, due to device limitations, might again be the spur to change phones.
Corporate IT organization that allows employees to use their personal devices for work purposes such as email or to access corporate applications, via “bring your own device” (BYOD) schemes, should consider banning the use of Android phones for work purposes until they are sure that employee devices are up to date and patched. This can be done via corporate Mobile Device Management (MDM) solutions such as VMware Airwatch, Microsoft Enterprise Mobility Suite, or others.
About the Author: Sarah Lahav is CEO of SysAid Technologies.
Edited by
Dominick Sorrentino