Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities.
The Google Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilities allow an attacker to send a media file over a MMS message targeting the device's media playback engine, Stagefright, which is responsible for processing several popular media formats.
Attackers can steal data from infected phones, as well as hijacking the microphone and camera.
Android is currently the most popular mobile operating system in the world -- meaning that hundreds of millions of people with a smartphone running Android 2.2 or newer could be at risk.
Joshua Drake, mobile security expert with Zimperium, reports
A fully weaponized successful attack could even delete the message before you see it. You will only see the notification...Unlike spear-phishing, where the victim needs to open a PDF file or a link sent by the attacker, this vulnerability can be triggered while you sleep. Before you wake up, the attacker will remove any signs of the device being compromised and you will continue your day as usual – with a trojaned phone.
Zimperium say that "Google acted promptly and applied the patches to internal code branches within 48 hours, but unfortunately that’s only the beginning of what will be a very lengthy process of update deployment."
NPR report that while Google gives its latest version of the Android OS to the manufacturers of smartphones and tablets, it's up to the manufacturers to "tweak it as they please."
Silent Circle report their Blackphone was patched "weeks ago," similarly CyanogenMod report the vulnerabilities "have been patched in CM12.0 and 12.1 nightlies for a couple weeks" and Mozilla has already patched the vulnerability in Firefox 38. Some manufacturers are still to release official updates.
Security software and hardware vendor Sophos report that Google Nexus users are probably "already safe" but they "can't be sure which other device vendors have already patched, unless they choose to say so, because Zimperium is keeping the exploits under wraps" until the Black Hat USA conference on August 5.
Andrew Ludwig, Google's lead engineer for Android security, said
Updates are truly a last resort. They should be neither the first nor the only step in a multi-layered stack of security technology.
I’m optimistic that advanced exploitation mitigation technology in Android will help us to move beyond the period of time when fast patching was the only solution available to secure devices. And I look forward to more research into how these technologies can be used to prevent exploitation on Android and other platforms.
One of the first steps for users to protecting their Android devices from the Stagefright issues is to disable the setting to "automatically retrieve" MMS messages and Google Hangouts. This should be done in the phone’s messaging app. However, because the vulnerability is in the Stagefright media library, MMS delivery is only one way of targeting Stagefright.
While Google has classified the Stagefright vulnerabilities as "high", Ludwig has advised caution against a blanket assumption that all bugs are necessarily exploitable, saying "There’s a common, mistaken, assumption that any software bug can be turned into a security exploit. In fact, most bugs aren’t."
Google have announced their Android Security Rewards program to encourage researchers to prove an issue is exploitable, paying up to $30,000 to developers that provide working remote exploits.