New Android flaw discovered, but Google is already on it

Another week, another security flaw, with the latest a real dog of a hack, breaking into handsets using multimedia messages. But have no fear, because our people at Google tell us the company is ready with a patch.

This week, news broke that a hack had been discovered that allowed someone adept at security to break into an Android phone — any Android phone — using a flaw in the way Google’s mobile operating system picked up on multimedia messages, also known as an “MMS”.

The security company who found this was Zimperium, and it found a specific type of code could be hidden in an MMS, sent to a phone, and initiated simply by being received by the phone, since Android devices will try to show a bit of the MMS when the phone picks up the message.

This problem is attributed to a bit of code found in Android called “Stagefright”, which seems ironic given the bit of fright it could yield to someone who receives a malware- or virus-laden MMS at the time, though the name has more to do with how the code handles media files, like video and audio.

According to Zimperium, the dodgy code sent through a hacked MMS could also technically be executed twice, with that first time when it’s picked up, and the second time when a person goes in to watch or view the message, with the results essentially attacking your phone, leaving a viral payload, and then ditching the code before you’re even aware anything has happened.

While it sounds quite terrifying, especially since we’re all using our phones for so much these days, Google is already on it, with a spokesperson for the search and operating system giant telling GadgetGuy that “the security of Android users is extremely important to us, so we’ve already responded quickly to this issue by sending the fix for all Android devices to our partners.”

What does this mean?

For the most part, if you have a Google phone, you’re now waiting for the company that makes your phone — Samsung, Sony, LG, Huawei, HTC, Motorola, and so on — to release a patch that deals with this flaw. Given the nature of the hack, we expect the companies to rush this one through, as it’s not just as matter of providing a new feature, but a patch to a flaw that could become dangerous.

That being said, while it might be a few days before every Android device sees the ever important fix, Google has said that flaws like this still have to do with a security layer found in the Android operating system, and can’t access other parts of the device, playing in their own sandbox, which is why Google calls this layer the “application sandbox”.

Alternatively, relying on a mobile security program is also beneficial, as this can at least look for applications and tiny programs that are executed in the background, or attempting to run.

The operating system is also open source, which allows security experts to peek inside the world that is Android and help the company find any flaws or holes, patching them promptly with the advice of those experts.

That’s not to say that Google doesn’t have its own experts, but any software — indeed, every piece of software — can have holes and problems, and likely will until they’re patched (and will still have some after more are patched). The point is that an open source operating system and its open ecosystem is what Google believes makes Android even stronger, because experts outside of the Google fold can help to improve things that its own developers haven’t necessarily found.

The patches shouldn’t take long for a company to deliver, and Samsung was one of the only places that responded quickly to a request for comment, telling GadgetGuy:

“Protecting our consumers’ privacy is our top priority, and we work hard every day to safeguard our valued Samsung users. Google notified us about the issue, and we are working to roll-out the software update as soon as possible. Samsung encourages users to keep their software and apps updated, and to exercise caution when clicking on an unsecure mail or link.”

For now, take care when dealing with multimedia messages, and look for a patch when it comes out, because this is one bug that needs to be dealt with quick smart.