Google, Samsung team up on monthly patch plan for Android
Move, announced at Black Hat, follows Stagefright scare
Google and Samsung will collaborate on a plan to release monthly security patches for malware-magnet Android, Reuters reported.
The move comes after Android, the world's most popular mobile OS, was revealed to have a software vulnerability called Stagefright, which allowed malicious software to access handsets' sensitive data through the sending of a multimedia message, even if that message remained unopened.
Security solutions vendors have long warned that Android-targeting malware is surging in volume. Google, which owns Android, traditionally distributes security fixes to its own Nexus smartphones first, but Nexus represents a tiny install base compared with the more-than 1bn Android smartphones used worldwide, and other manufacturers and their users have had to wait for the patches.
"We've realised we need to move faster," said Android security chief Adrian Ludwig at this week's annual Black Hat security conference in Las Vegas.
Ludwig claimed that recent updates to Android meant Stagefright would be less effective in nine out of 10 handsets, but Joshua Drake, the security researcher who exposed the malware, said an attacker could keep trying until they got a result.
Drake has promised to release exploit code for Stagefright on 24 August.
Samsung vice president Rick Segal, whose company has the largest Android install base, warned that Samsung could not enforce the update's distribution through telecoms operators that buy its devices in bulk, and said some may only push the patch out to premium users.
"If it's your business customers, you'll push it," he said. Samsung is the largest maker of Android phones.
Ludwig claimed many stories of Android vulnerabilities were exaggerated and said only about one in 200 Android handsets have harmful software installed at any given moment. But Drake pointed out that those figures exclude products such as Amazon's Fire range.