Vertu is set to patch Stagefright on its smartphones, two months after the critical Android vulnerability was first discovered.
The high-end phone maker, whose customers pay tens of thousands of pounds for its range of mobiles, admitted that customers are concerned about the bug, but said it has been unable to fix it until now due to faulty patches issued by Google.
The flaw affects 950 million Android users, and first came to light when security firm Zimperium Research Labs investigated the Android Open Source Project (AOSP - the free code any developers can use to fork their own versions of the mobile operating system) in July.
It found that nearly anyone with an Android phone is at risk, with hackers simply sending picture or video messages containing malicious code that can access the target's data and apps.
In the worst instances, a victim does not even need to open the message for the remote code execution to Trojan their device.
Zimperium warned at the time: "The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers."
Vertu phones sport a "light customisation" of AOSP, according to its cloud DevOps architect, Rob Charlton, but even so, vendors creating their own versions of Android must tweak any patches to suit their operating systems.
Charlton told IT Pro: "We have to take the upstream patches from Google and people like that. Patches have to bubble up through the different levels of that chain, and Google took quite a while to get the official versions through for this.
"We work with a system integration partner to help manage all the changes required in all that massive amount of software and we work very closely with them when security updates are made to get it out as soon as possible."
However, he added that Stagefright was a much more complicated patch rollout, after Google was forced to issue a second patch in August after its first one did not solve the bug.
The tech giant then claimed that something called address space layout randomization (ASLR) would stop the attack landing, by running apps' processes in random parts of a device's memory, making it harder for Stagefright to locate them, but researchers found four per cent of attacks per minute continued to be successful, according to Forbes.
"It was an error that was found, and then a fix, and then an error in the fix, and then another fix, and then another error was found, and it's only just coming to resolution now," Charlton said. "It's very difficult for us to manage that with our customers, who hear about it and then they want a fix and we have to try to explain that it's coming, but there's complications.
"That's purely because of how severe the problem with Stagefright was, it was a very broad attack surface that was very suddenly shown to be exposed so that a lot of different places that need to be patched."
Vertu will soon join Motorola, Google, Samsung, HTC, Asus and LG as Android vendors who have now patched the flaw, but Charlton - who said no customers have reported any instances of the attack - did not give a date for when the firmware update will be pushed out to customers.
However, he said: "It will come up automatically, so as long as you have the updates turned on it will appear and just update itself."
Monthly patches
The incident has brought a greater focus on security within Vertu, Charlton confirmed, with the company likely to join Samsung and LG in issuing monthly security patches.
"It's probably just increased our resolve to get these patches out in a more timely manner," he told IT Pro. "Normally [we update] once or twice a year, but not at the level required for security patching.
"Over the next year that will probably change as we have to come in line with the way Google and Samsung are doing things. I think all phone manufacturers are going to have to do that."
