LAS VEGAS—Hundreds of Android devices will get updates to combat the Stagefright vulnerability in what might be the world's largest software update, Google's lead engineer for Android Security, Adrian Ludwig, said here at Black Hat.

With Stagefright, the way Android processes video files sent via text message could allow attackers to execute code on your device, simply by sending you a text message. It was discovered by researcher Josh Drake and named after the section of code that contains the vulnerability.

While Google's Ludwig had a lot to say about the state of Android security, much of it was in the context of Stagefright. "It is the case that nearly all Android devices had a vulnerability," he confirmed.

Google is currently updating all Nexus devices to address the Stagefright vulnerability, he said. Other device manufacturers are also following Google's lead and working to push out Google's patch to their customers. Ludwig called it "the single largest unified software update the world has ever seen." And given that there are 1 billion estimated Android users, he might be right.

"Hundreds of millions of devices will be updated in the next few days," said Ludwig. That's especially welcome news because Drake submitted patches when he disclosed the vulnerability to Google. It was expected that those patches would take many more weeks to find their way to users who don't use Nexus phones, potentially leaving millions without the means to protect themselves from Stagefright.

All Nexus devices and these will receive Stage fright updates says Ludwig. #BHUSA pic.twitter.com/xXuK1PNNvB — Max Eddy (@wmaxeddy) August 5, 2015

Though he was emphasizing the effort taken by Google and its Android partners to patch Stagefright, Ludwig admitted that Google could have done more. "As an industry, we've looked over the events of the last few days and weeks," he said. "We need to move faster and we need to tell people what we are doing."

To that end, Ludwig announced that Google would provide monthly security updates and service bulletins. Samsung and LG, said Ludwig, have made similar commitments.

"We're in the midst of the largest software update the world has ever seen," said Ludwig. "Until next month, when we do it again."

A Diverse Environment

Throughout his presentation, Ludwig frequently returned to the idea that—contrary to popular belief—the diversity of Android made it safer. Commentators, this author, and others at PCMag have held that the fragmented nature of Android means that it is hard to push security updates. Prior to Black Hat, the estimation on the number of distinct Android devices rose to well over 24,000.

But Ludwig countered that the diversity of Android means that the ecosystem as a whole is stronger because every exploit requires customization to work across Android devices. "Crop blights happen because everything is the same," he said.

Ludwig said something similar at the 2014 RSA Conference. "A single gold master with a bug affects hundreds of million of users," he said at the time. "There is no single gold master [for Android], every device is built from source that differs."

In a separate presentation at Black Hat, Drake disagreed with this conclusion. "Diversity in the ecosystem complicates research, but it's not a barrier to exploitation," he said.

The State of the Union

Though Stagefright cast a long shadow over Ludwig's talk, and Black Hat in general, he had much to say on the subject of Android security. The talk was among the highest profile of the conference, taking place immediately after the keynote and in the same location. It was styled as a State of the Union speech, and Ludwig maintained that the state of Android security was strong.

Ludwig took care to acknowledge the work of the security industry and researchers. He also discussed the behind-the-scenes protections that Google provides. Google Play, for example, has given Google enormous insight into app development, allowing the company to better evaluate the risks of particular apps. Ludwig called Verified Apps, a service which evaluates apps that are installed to Android devices from outside Google Play, "the world's largest antivirus service. A billion devices checking with Google to see if an app is safe."

He also mentioned Safety Net, an intrusion-detection system that monitors high-risk devices. According to Ludwig, around 200 million devices checked in with Safety Net, and only around half a percent had something harmful. Despite that impressive number, Ludwig said that Google never expects to reach zero because of the size of the Android ecosystem. "Someone will always write something," he said.

Further Reading