Vertu is about to patch nightmare Android bug Stagefright

Android vulnerability leads fancy phone maker to consider monthly security updates

Vertu is set to patch Stagefright on its smartphones, two months after the critical Android vulnerability was first discovered.

The high-end phone maker, whose customers pay tens of thousands of pounds for its range of mobiles, admitted that customers are concerned about the bug, but said it has been unable to fix it until now due to faulty patches issued by Google.

The flaw affects 950 million Android users, and first came to light when security firm Zimperium Research Labs investigated the Android Open Source Project (AOSP - the free code any developers can use to fork their own versions of the mobile operating system) in July.

It found that nearly anyone with an Android phone is at risk, with hackers simply sending picture or video messages containing malicious code that can access the target's data and apps.

In the worst instances, a victim does not even need to open the message for the remote code execution to Trojan their device.

Zimperium warned at the time: "The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers."

Vertu phones sport a "light customisation" of AOSP, according to its cloud DevOps architect, Rob Charlton, but even so, vendors creating their own versions of Android must tweak any patches to suit their operating systems.

Charlton told IT Pro: "We have to take the upstream patches from Google and people like that. Patches have to bubble up through the different levels of that chain, and Google took quite a while to get the official versions through for this.

"We work with a system integration partner to help manage all the changes required in all that massive amount of software and we work very closely with them when security updates are made to get it out as soon as possible."

However, he added that Stagefright was a much more complicated patch rollout, after Google was forced to issue a second patch in August after its first one did not solve the bug.

The tech giant then claimed that something called address space layout randomization (ASLR) would stop the attack landing, by running apps' processes in random parts of a device's memory, making it harder for Stagefright to locate them, but researchers found four per cent of attacks per minute continued to be successful, according to Forbes.

"It was an error that was found, and then a fix, and then an error in the fix, and then another fix, and then another error was found, and it's only just coming to resolution now," Charlton said. "It's very difficult for us to manage that with our customers, who hear about it and then they want a fix and we have to try to explain that it's coming, but there's complications.

"That's purely because of how severe the problem with Stagefright was, it was a very broad attack surface that was very suddenly shown to be exposed so that a lot of different places that need to be patched."

Vertu will soon join Motorola, Google, Samsung, HTC, Asus and LG as Android vendors who have now patched the flaw, but Charlton - who said no customers have reported any instances of the attack - did not give a date for when the firmware update will be pushed out to customers.

However, he said: "It will come up automatically, so as long as you have the updates turned on it will appear and just update itself."

Monthly patches

The incident has brought a greater focus on security within Vertu, Charlton confirmed, with the company likely to join Samsung and LG in issuing monthly security patches.

"It's probably just increased our resolve to get these patches out in a more timely manner," he told IT Pro. "Normally [we update] once or twice a year, but not at the level required for security patching.

"Over the next year that will probably change as we have to come in line with the way Google and Samsung are doing things. I think all phone manufacturers are going to have to do that."

Featured Resources

Defeating ransomware with unified security from WatchGuard

How SMBs can defend against the onslaught of ransomware attacks

Free download

The IT expert’s guide to AI and content management

How artificial intelligence and machine learning could be critical to your business

Free download

The path to CX excellence

Four stages to thrive in the experience economy

Free download

Becoming an experience-based business

Your blueprint for a strong digital foundation

Free download

Recommended

New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021
Nigerian cyber criminals target Texas unemployment system
cyber security

Nigerian cyber criminals target Texas unemployment system

27 May 2021
Hackers use open source Microsoft dev platform to deliver trojans
Security

Hackers use open source Microsoft dev platform to deliver trojans

14 May 2021
HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021

Most Popular

What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
Citrix mulling potential sale after tumultuous 2021
mergers and acquisitions

Citrix mulling potential sale after tumultuous 2021

15 Sep 2021
Zoom: From pandemic upstart to hybrid work giant
video conferencing

Zoom: From pandemic upstart to hybrid work giant

14 Sep 2021