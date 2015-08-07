| LAS VEGAS
LAS VEGAS Aug 6 Google Inc and
Samsung Electronics Co will release monthly security
fixes for Android phones, a growing target for hackers, after
the disclosure of a bug designed to attack the world's most
popular mobile operating system.
The change came after security researcher Joshua Drake
unveiled what he called Stagefright, hacking software that
allows attackers to send a special multimedia message to an
Android phone and access sensitive content even if the message
is unopened.
"We've realized we need to move faster," Android security
chief Adrian Ludwig said at this week's annual Black Hat
security conference in Las Vegas.
Previously, Google would develop a patch and distribute it
to its own Nexus phones after the discovery of security flaws.
But other manufacturers would wait until they wanted to
update the software for different reasons before pushing out a
fix, exposing most of the more than 1 billion Android users to
potential hacks and scams until the fix.
Ludwig also said Google has made other security changes. In
an interview, he told Reuters that earlier this year the team
broke out incidence rates of malicious software by language. The
rate of Russian-language Androids with potentially harmful
programs had spiked suddenly to about 9 percent in late 2014, he
said.
Google made its roughly weekly security scans of Russian
phones more frequent and was able to reduce the problems to
close to the global norm.
Ludwig said improvements to recent versions of Android would
limit an attack's effectiveness in more than nine out of 10
phones, but Drake said an attacker could keep trying until the
gambit worked. Drake said he would release code for the attack
by Aug. 24, putting pressure on manufacturers to get their
patches out before then.
Nexus phones are being updated with protection this week and
the vast majority of major Android handset makers are following
suit, Ludwig said.
Samsung Vice President Rick Segal acknowledged that his
company could not force the telecommunications carriers that buy
its devices in bulk to install the fixes and that some might do
so only for higher-end users.
"If it's your business customers, you'll push it," Segal
said in an interview. Samsung is the largest maker of Android
phones.
Ludwig said many Android security scares were overblown. He
added that only about one in 200 Android phones Google can peer
into have any potentially harmful applications installed at any
point.
Drake noted that those figures exclude some products,
including Fire products from Amazon, which use Android.
As with Apple's iPhones, the biggest security risk comes
with apps that are not downloaded from the official online
stores of the two companies.
Stolen files from Hacking Team, an Italian company selling
eavesdropping tools to government agencies around the world,
showed that a key avenue was to convince targets to download
legitimate-seeming Android and iPhone apps from imposter
websites.
(Reporting by Joseph Menn; Editing by Stephen R. Trousdale and
Richard Chang)