“Stagefright Had No Confirmed Cases of Infection,” Google Says Android Security Scares Are Mere Hype
Stagefright security flaw, which prompted Google to change the way it used to respond to security threats by pushing out monthly security updates, probably hasn't infected a single device, Adrian Ludwig, the Lead Engineer for Android Security at Google, said. Ludwig was speaking at this week's RSA Security conference.
Despite all the warnings that are put out against Android security, claiming that over 90 or 95% of all Android devices are vulnerable to these attacks, Ludwig says in reality, there are very few confirmed cases of these flaws being exploited.
The Register reported that Ludwig also cited the MasterKey vulnerability that was spotted in 2013 and FakeID flaw reported in 2014. 99% of Android devices were vulnerable to MasterKey, however, "exploits abusing the security blunder peaked at less than eight infections per million users." He added that there were no exploits for the vulnerability before the details were made public.
82% of devices were vulnerable to FakeID vulnerability. But, "exploits peaked at one infection per million users after the details were released" and not a single incident before that.
Previously, Samsung had also called these threats "theoretical." While Ludwig may play down the severity of Android security, as Google has a reason to do so, it is true that not all the vulnerable devices are, in fact, attacked since most of these flaws still rely on social engineering techniques, such as phishing. Another point to consider is that Ludwig's figures are coming from Google Play services.
Ludwig said he was sure of his figures, due to malware-detection routines, dubbed Verify Apps, in Google Play services, which is installed on more than 1.4 billion Android handhelds. Verify Apps reports back to Google when a software nasty is spotted on the device, allowing the web giant to tot up infection tallies.
This means that other Android stores - aka the infamous Unknown Sources - remain unaccounted for. Considering the sheer number of users in China who have to rely on these third-party app stores, the total number of infected devices could be very high than Google's official estimates.
"Most of the abuse we get isn’t interesting from a security perspective," Ludwig said of Android security threats being simpler in nature. "We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps."
While Ludwig claims that no one has been affected by Stagefright, the vulnerability is the reason why you get those monthly security updates from Google. It's also the reason Google started pushing its OEMs to send regular security and feature upgrades to their Android devices.