Google has revealed that it will now release monthly security updates for its Nexus family of devices, just days after a huge vulnerability was exposed in its Android OS, despite the company having been given a patch for it months ago.
Security researcher Joshua Drake revealed last week how easy it can be to hijack an Android device using innocent-looking multimedia content, like an MMS message or a video embedded in a specially constructed web page. The vulnerability targets a core component of Android - Stagefright, which is used to manage multimedia content - to gain access to other functions on a device, even without the knowledge of its owner.
Drake said that he had created patches for the vulnerability, and sent them to Google in April - but the lethargic pace at which Android updates roll out meant that an estimated 95% of active devices still remain unprotected, including almost all of Google"s Nexus range. But now, Google is stepping up to offer better security protection for its devices, starting with a patch for the Stagefright exploit.
In a blog post, Google said that "Android was built from day one with security in mind", and noted various measures it has taken to try to improve security further - in its ecosystem and on-device - in recent years. But it also announced that, "from this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates".
The first such update has already begun, heading to the following devices:
- Nexus 4
- Nexus 5
- Nexus 6
- Nexus 7
- Nexus 9
- Nexus 10
- Nexus Player
As Google explained:
This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues. At the same time, the fixes will be released to the public via the Android Open Source Project.
Alongside the new monthly security updates, Google said it remains committed to rolling out major updates for Nexus devices "for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store."
Source: Google (Android Blog)