Google has released an Android update that fixes two critical security holes that were posing great threat to device owners. One threat was similar to Stagefright, and the other Google claims was designed for research work, but could become malicious if intruders found it and modified it.
The Google security update has been released for Nexus users only for now, but has been provided to OEM partners for their smartphones. Therefore, millions of Android phones still remain exposed to the vulnerabilities. The first vulnerability is similar to Stagefright. It could be exploited by sending maliciously formatted jpeg image through Google Talk or Gmail. The crazy thing was that the target didn’t even need to click anything to get exploited, and the malicious code was hidden inside the sent jpeg’s Exif data.
The second vulnerability was disclosed by researcher Mark Brand, reports Ars Technica. It allows attackers to execute malware or escalate local privileges on vulnerable phones. A Google spokesman told the publication that the exploit was for research purposes, and could not be used in real world attacks unless the intruder found it and modified it.
While these security patches are being received by Nexus owners, security firm CheckPoint has further revealed that Google Play has been hosting apps that contain malware called DressCode and CallJam. These malwares take phones to fraud ad revenue making websites. They even prompt users to call paid phone numbers. DressCode could additionally compromise local networks as well. Google has removed the apps since then, but only after many users downloaded the malicious software on their smartphone.
The only concern is that the patch for the two earlier mentioned critical vulnerabilities will reach only few Nexus users for now. Smartphones made by other OEMs are left in a lurch until the manufacturer releases an update with the patch, and even then, old phones that are no more supported won’t get these patches at all. For those old handset users, switching to a new device that is supported by the OEM for regular updates is the only option.