Google claims ‘massive’ Stagefright Android bug had 'sod all effect'

RSA USA Despite shrill wailings by computer security experts over vulnerabilities in Android, Google claims very, very few of people have ever suffered at the hands of its bugs.

Speaking at the RSA security conference in San Francisco on Tuesday, Adrian Ludwig, director of Android security, said the Stagefright hole – which prompted the Chocolate Factory to start emitting low-level security patches on a monthly basis – did put 95 per cent of Android devices at risk of attack. However, there have been no “confirmed” cases of infections via the bug, Ludwig claimed.

It was a similar story for the MasterKey vulnerability that was spotted in 2013, he said. In that case, 99 per cent of Android devices were vulnerable, but exploits abusing the security blunder peaked at less than eight infections per million users, it was claimed. And there were no exploits for the hole before details of the flaw were made public.

He also cited the 2014 FakeID flaw, disclosed at Black Hat that year. This affected 82 per cent of Android users but exploits peaked at one infection per million users after the details were released, and none before that, we're told.

Ludwig said he was sure of his figures, due to malware-detection routines, dubbed Verify Apps, in Google Play services, which is installed on more than 1.4 billion Android handhelds. Verify Apps reports back to Google when a software nasty is spotted on the device, allowing the web giant to tot up infection tallies.

So, basically, Ludwig's claims and figures cover devices with Google Play services installed – Chinese and Amazon Android-based gadgets don't include this software and thus aren't part of the Googler's numbers.

It also fitted a pattern he had noticed, that there isn't really any complex malware out there in the wild infecting Android devices. Software nasties tend to be sleazy apps, installed by punters, that do unpleasant things in the background, rather than malicious code that silently infects devices via webpages, text messages, and so on.

“Most of the abuse we get isn’t interesting from a security perspective,” he said. “We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps.”

The same thing seems to be happening in Apple's iOS world, too, he said. One reason could be that mobile operating systems are fairly well locked down, and present a restrictive environment to applications, benefiting from lessons learned from the PC industry.

Basically, mobile OSes are too much of a PITA to develop exploits for. They have hardened kernels, app marketplaces patrolled or vetted by full-time staff, and mechanisms such as ASLR and strict sandboxing that hackers struggle to defeat.

With more than a billion Android users out there, Ludwig's happy that Android's various security slip-ups seem to be getting headed off at the pass. ®