950 Million Android phones left vulnerable

At Computer Culture we take security very seriously and like to be proactive about it. When we encounter issues that need to be shared we will send out email alerts. Hopefully we can save you time, money and pain by addressing the risks before they become an issue!

We have been made aware of a very serious security flaw in Android phones that requires your attention.

Many of our customers use Android phones (such as Samsung Galaxy for example) and a security vulnerability has recently been discovered that effects roughly 950 million of these devices (95%). The vulnerability can allow remote access to your phone without you knowing it, with the ability to access your data, and well as devices in your phone such as your camera and microphone.

The security researcher who discovered the flaw describes this latest Android security flaw as "the worst Android vulnerabilities discovered to date", adding that "if 'Heartbleed' from the PC era sends a chill down your spine, this is much worse."

Google (who produces Android) are aware of the issue and they have released a security patch for it. The problem however is that the security update has reached very few of the devices in use. The reason for this is that Google don’t have the ability to patch Android devices directly like Microsoft can do with Windows Update, or Apple can do with their iPhones. Google releases a patch, which then goes to the phone manufacturer (e.g. Samsung, HTC, Motorola etc), who need to rebuild their Android software with their customisations, and once tested release the update. The update is then further delayed by carriers (such as Vodafone, Spark etc) who also need to approve the updates.

The end result is there are A LOT of vulnerable Android phones out there, many of which may never be patched due to their age (often phones older than 18 months stop receiving updates). While most modern Android phones should eventually be patched, there may be a long wait.

It appears the Firefox web browser on all major platforms (Android, Windows, Mac) is also affected by the same vulnerability. Mozilla, the makers of Firefox released an update to fix the issue in May, so it is also very important you update Firefox to the latest version if you use it on your computer (our Attiva managed patch service will take care of this automatically for you).

So what’s our advice? Although we are not aware that anyone is taking advantage of this exploit, it is more then likely someone will soon. We recommend you check to see if there are any updates available for your phone, and if there are, apply them immediately. If you are unsure of how to update your device please let us know and we can help.

Click here to review the research article published describing the security vulnerability and get more info.

We’re monitoring this situation closely and will keep you updated with any additional steps that can be taken to help secure your devices.

If you would like to discuss this further with us, please call our support team on 03 377 4662 or email support@computerculture.co.nz.

Please forward this email on to anyone you know that is using an Android phone.