After Stagefright, Samsung and LG join Google with monthly Android patches

Google and its main Android partners have vowed to fix the haphazard approach to patching the world's most widely used mobile OS.
Written by Liam Tung, Contributing Writer

Taking inspiration from Microsoft's monthly patch cycle, Google, Samsung, and LG are promising to deliver regular monthly security updates for Android, starting with a fix for the dangerous Stagefright bug.

It's been a week since Zimperium security researcher Joshua Drake revealed the Stagefright bug, which affects roughly 95 percent of the world's one billion Android handsets and can be remotely exploited if a user receives a malicious media file over MMS.

The bug, which Drake called the worst in Android's history, has drawn criticism for Android handset makers, who have been slammed for delivering patches too slowly or not at all.

Google has been faster to deliver patches to its own Nexus devices but announced yesterday that it would move to a more predictable schedule, issuing monthly security updates for its Nexus devices. It will provide the security patches for either three years from the time the device became available, or 18 months from the time it stopped selling the handset on the Google Store.

The first of these monthly updates addresses Stagefright in the Nexus build LMY481. The update began rolling out as an OTA on Wednesday to the Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. Google has also released factory images containing the fix, which Android Police notes allows Nexus owners running alternative ROMs to install the fix.

Samsung too announced on Wednesday that it in response to Stagefright it will begin releasing security updates "regularly about once per month".

"With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner," Dong Jin Koh, Samsung's head of mobile research and development, said.

"Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users."

According to Android Police, US carrier Sprint started rolling out the patch yesterday to the Galaxy S6, Galaxy S6 Edge, Galaxy S5, and Galaxy Note Edge.

Google's Ludwig also revealed at the Black Hat Las Vegas other devices that had received fixes for Stagefright and that LG will also be moving to a monthly update process.

LG confirmed has confirmed it will be begin monthly security updates with carriers.

"LG is committed to bringing its customers the utmost in device security. Toward that goal, we are now starting to roll out updates for in-market LG devices potentially vulnerable to Stagefright. As an additional step, LG will be providing security updates on a monthly basis which carriers will then be able to make available to customers immediately. We believe these important steps will demonstrate to LG customers that security is our highest priority," the company said in a statement.

According to Ars Technica, other devices that have been updated include the HTC One M7, One M8 and One M9. LG has also patched the G2 and G4 while Sony has updated the Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Company, and the Android One.

Despite the industry wide effort to fix Stagefright, the publication noted that Google's Ludwig said the threat the bug posed had been exaggerated by Drake since more than 90 percent of Android devices have an anti-exploitation measure known as address space layout randomisation.

Editorial standards