Vertu is about to patch nightmare Android bug Stagefright

Android vulnerability leads fancy phone maker to consider monthly security updates

Vertu is set to patch Stagefright on its smartphones, two months after the critical Android vulnerability was first discovered.

The high-end phone maker, whose customers pay tens of thousands of pounds for its range of mobiles, admitted that customers are concerned about the bug, but said it has been unable to fix it until now due to faulty patches issued by Google.

The flaw affects 950 million Android users, and first came to light when security firm Zimperium Research Labs investigated the Android Open Source Project (AOSP - the free code any developers can use to fork their own versions of the mobile operating system) in July.

It found that nearly anyone with an Android phone is at risk, with hackers simply sending picture or video messages containing malicious code that can access the target's data and apps.

In the worst instances, a victim does not even need to open the message for the remote code execution to Trojan their device.

Zimperium warned at the time: "The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers."

Vertu phones sport a "light customisation" of AOSP, according to its cloud DevOps architect, Rob Charlton, but even so, vendors creating their own versions of Android must tweak any patches to suit their operating systems.

Charlton told IT Pro: "We have to take the upstream patches from Google and people like that. Patches have to bubble up through the different levels of that chain, and Google took quite a while to get the official versions through for this.

"We work with a system integration partner to help manage all the changes required in all that massive amount of software and we work very closely with them when security updates are made to get it out as soon as possible."

However, he added that Stagefright was a much more complicated patch rollout, after Google was forced to issue a second patch in August after its first one did not solve the bug.

The tech giant then claimed that something called address space layout randomization (ASLR) would stop the attack landing, by running apps' processes in random parts of a device's memory, making it harder for Stagefright to locate them, but researchers found four per cent of attacks per minute continued to be successful, according to Forbes.

"It was an error that was found, and then a fix, and then an error in the fix, and then another fix, and then another error was found, and it's only just coming to resolution now," Charlton said. "It's very difficult for us to manage that with our customers, who hear about it and then they want a fix and we have to try to explain that it's coming, but there's complications.

"That's purely because of how severe the problem with Stagefright was, it was a very broad attack surface that was very suddenly shown to be exposed so that a lot of different places that need to be patched."

Vertu will soon join Motorola, Google, Samsung, HTC, Asus and LG as Android vendors who have now patched the flaw, but Charlton - who said no customers have reported any instances of the attack - did not give a date for when the firmware update will be pushed out to customers.

However, he said: "It will come up automatically, so as long as you have the updates turned on it will appear and just update itself."

Monthly patches

The incident has brought a greater focus on security within Vertu, Charlton confirmed, with the company likely to join Samsung and LG in issuing monthly security patches.

"It's probably just increased our resolve to get these patches out in a more timely manner," he told IT Pro. "Normally [we update] once or twice a year, but not at the level required for security patching.

"Over the next year that will probably change as we have to come in line with the way Google and Samsung are doing things. I think all phone manufacturers are going to have to do that."

Featured Resources

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Simplify cluster security at scale

Centralised secrets management across hybrid, multi-cloud environments

Download now

The endpoint as a key element of your security infrastructure

Threats to endpoints in a world of remote working

Download now

2021 state of IT asset management report

The role of IT asset management for maximising technology investments

Download now

Recommended

Bank-targeting malware disguises itself as video conferencing software
Security

Bank-targeting malware disguises itself as video conferencing software

19 Oct 2020
What is hacktivism?
hacking

What is hacktivism?

13 Oct 2020
Microsoft: Iranian hackers are exploiting ZeroLogon flaw
Security

Microsoft: Iranian hackers are exploiting ZeroLogon flaw

6 Oct 2020
Your essential guide to internet security
Security

Your essential guide to internet security

23 Sep 2020

Most Popular

Do smart devices make us less intelligent?
artificial intelligence (AI)

Do smart devices make us less intelligent?

19 Oct 2020
Politicians need to stop talking about technology
Policy & legislation

Politicians need to stop talking about technology

21 Oct 2020
Best MDM solutions 2020
mobile device management (MDM)

Best MDM solutions 2020

21 Oct 2020