Google claims ‘massive’ Stagefright Android bug had 'sod all effect'

And hackers didn't have much luck either with other flaws in the mobe OS

31 Reg comments Got Tips?

RSA USA Despite shrill wailings by computer security experts over vulnerabilities in Android, Google claims very, very few of people have ever suffered at the hands of its bugs.

Speaking at the RSA security conference in San Francisco on Tuesday, Adrian Ludwig, director of Android security, said the Stagefright hole – which prompted the Chocolate Factory to start emitting low-level security patches on a monthly basis – did put 95 per cent of Android devices at risk of attack. However, there have been no “confirmed” cases of infections via the bug, Ludwig claimed.

It was a similar story for the MasterKey vulnerability that was spotted in 2013, he said. In that case, 99 per cent of Android devices were vulnerable, but exploits abusing the security blunder peaked at less than eight infections per million users, it was claimed. And there were no exploits for the hole before details of the flaw were made public.

He also cited the 2014 FakeID flaw, disclosed at Black Hat that year. This affected 82 per cent of Android users but exploits peaked at one infection per million users after the details were released, and none before that, we're told.

Ludwig said he was sure of his figures, due to malware-detection routines, dubbed Verify Apps, in Google Play services, which is installed on more than 1.4 billion Android handhelds. Verify Apps reports back to Google when a software nasty is spotted on the device, allowing the web giant to tot up infection tallies.

So, basically, Ludwig's claims and figures cover devices with Google Play services installed – Chinese and Amazon Android-based gadgets don't include this software and thus aren't part of the Googler's numbers.

It also fitted a pattern he had noticed, that there isn't really any complex malware out there in the wild infecting Android devices. Software nasties tend to be sleazy apps, installed by punters, that do unpleasant things in the background, rather than malicious code that silently infects devices via webpages, text messages, and so on.

“Most of the abuse we get isn’t interesting from a security perspective,” he said. “We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps.”

The same thing seems to be happening in Apple's iOS world, too, he said. One reason could be that mobile operating systems are fairly well locked down, and present a restrictive environment to applications, benefiting from lessons learned from the PC industry.

Basically, mobile OSes are too much of a PITA to develop exploits for. They have hardened kernels, app marketplaces patrolled or vetted by full-time staff, and mechanisms such as ASLR and strict sandboxing that hackers struggle to defeat.

With more than a billion Android users out there, Ludwig's happy that Android's various security slip-ups seem to be getting headed off at the pass. ®


Keep Reading

New Google rules mandate Android 'Poundland' Edition, Go, for sub-2GB RAM phones once Android 11 is out

Chocolate Factory actively pushing lightweight OS on less powerful devices

Android user chucks potential $10bn+ sueball at Google over 'spying', 'harvesting data'... this time to build supposed rival to TikTok called 'Shorts'

These are the class-action-suit-joining 'droids lawyers are looking for. (We'll get our coats)

Apple-Google COVID-19 virus contact-tracing API to bar location-tracking access

Renamed 'ExposureNotification' will only only one app per nation

Android 11 will let users stop device-makers from killing background apps, says Google

Users will be able to 'override ... restrictions' on phones and other kit, says engineering team

Google promises another low-end Android effort as it buys into Indian mega-carrier Jio Platforms

$4.5bn splash turns out to be first installment in $10bn ‘Digitisation fund’ and development template for new products

Commit to Android codebase suggests Google may strong-arm phone makers into using 'seamless' partitioned updates

Such a move could standardise deployment of new versions, rather than it being at the whim of OEMs

Health Sec Hancock says UK will use Apple-Google API for virus contact-tracing app after all (even though Apple were right rotters)

Updated It's The Reg wot warned it

Stop tracking me, Google: Austrian citizen files GDPR legal complaint over Android Advertising ID

Claims consent was neither informed, nor specific, nor free – but Google says it cannot identify a user from the ID

Biting the hand that feeds IT © 1998–2020