IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Vertu is about to patch nightmare Android bug Stagefright

Android vulnerability leads fancy phone maker to consider monthly security updates

Vertu is set to patch Stagefright on its smartphones, two months after the critical Android vulnerability was first discovered.

The high-end phone maker, whose customers pay tens of thousands of pounds for its range of mobiles, admitted that customers are concerned about the bug, but said it has been unable to fix it until now due to faulty patches issued by Google.

The flaw affects 950 million Android users, and first came to light when security firm Zimperium Research Labs investigated the Android Open Source Project (AOSP - the free code any developers can use to fork their own versions of the mobile operating system) in July.

It found that nearly anyone with an Android phone is at risk, with hackers simply sending picture or video messages containing malicious code that can access the target's data and apps.

In the worst instances, a victim does not even need to open the message for the remote code execution to Trojan their device.

Zimperium warned at the time: "The targets for this kind of attack can be anyone from Prime ministers, govt. officials, company executives, security officers to IT managers."

Vertu phones sport a "light customisation" of AOSP, according to its cloud DevOps architect, Rob Charlton, but even so, vendors creating their own versions of Android must tweak any patches to suit their operating systems.

Charlton told IT Pro: "We have to take the upstream patches from Google and people like that. Patches have to bubble up through the different levels of that chain, and Google took quite a while to get the official versions through for this.

"We work with a system integration partner to help manage all the changes required in all that massive amount of software and we work very closely with them when security updates are made to get it out as soon as possible."

However, he added that Stagefright was a much more complicated patch rollout, after Google was forced to issue a second patch in August after its first one did not solve the bug.

The tech giant then claimed that something called address space layout randomization (ASLR) would stop the attack landing, by running apps' processes in random parts of a device's memory, making it harder for Stagefright to locate them, but researchers found four per cent of attacks per minute continued to be successful, according to Forbes.

"It was an error that was found, and then a fix, and then an error in the fix, and then another fix, and then another error was found, and it's only just coming to resolution now," Charlton said. "It's very difficult for us to manage that with our customers, who hear about it and then they want a fix and we have to try to explain that it's coming, but there's complications.

"That's purely because of how severe the problem with Stagefright was, it was a very broad attack surface that was very suddenly shown to be exposed so that a lot of different places that need to be patched."

Vertu will soon join Motorola, Google, Samsung, HTC, Asus and LG as Android vendors who have now patched the flaw, but Charlton - who said no customers have reported any instances of the attack - did not give a date for when the firmware update will be pushed out to customers.

However, he said: "It will come up automatically, so as long as you have the updates turned on it will appear and just update itself."

Monthly patches

The incident has brought a greater focus on security within Vertu, Charlton confirmed, with the company likely to join Samsung and LG in issuing monthly security patches.

"It's probably just increased our resolve to get these patches out in a more timely manner," he told IT Pro. "Normally [we update] once or twice a year, but not at the level required for security patching.

"Over the next year that will probably change as we have to come in line with the way Google and Samsung are doing things. I think all phone manufacturers are going to have to do that."

Featured Resources

Meeting the future of education with confidence

How the switch to digital learning has created an opportunity to meet the needs of every student, always

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

The business value of the transformative mainframe

Modernising on the mainframe

Free Download

Technology reimagined

Why PCaaS is perfect for modern schools

Free Download

Recommended

Hackers could use new Wslink malware in highly targeted cyber attacks
malware

Hackers could use new Wslink malware in highly targeted cyber attacks

1 Nov 2021
FBI raids Chinese POS business following cyber attack claims
malware

FBI raids Chinese POS business following cyber attack claims

27 Oct 2021
Malware developers create malformed code signatures to avoid detection
malware

Malware developers create malformed code signatures to avoid detection

24 Sep 2021
New malware uses search engine ads to target pirate gamers
malware

New malware uses search engine ads to target pirate gamers

21 Jul 2021

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

7 Jun 2022
Attracting and retaining talent through training
Sponsored

Attracting and retaining talent through training

13 Jun 2022
Delivery firm Yodel disrupted by cyber attack
cyber attacks

Delivery firm Yodel disrupted by cyber attack

21 Jun 2022