Security researchers scared the shit out of Android users last week when they revealed a vulnerability that let hackers control your phone with a single text. In a session at Black Hat, Google's Adrian Ludwig just explained exactly how it's being fixed, calling it the biggest software update in history. He seems pretty chill about the whole thing, too.
At the "Android Security State of the Union" talk, Ludwig launched into new details about how Google's fast and aggressive efforts to patch the so-called libstagefright vulnerability. This particularly nasty problem enabled hackers to send any Android user a multimedia message (namely, a video) with malware embedded in the code. Thanks to a feature in Hangout, the file would load automatically so that you'd be able to see a little thumbnail of the video right away. The vulnerability leaves nearly a billion Android phones exposed.
So Google's fixing it — and fast. Right now, updates are being pushed over the air to the entire Nexus line that will stop the messenger app from preloading assets like malware embedded videos. (Good idea!) Millions of non-Nexus phones will get the same update this week. In the meantime, Ludwig encourages everyone to use a different messaging app.
"We're in the midst of what I think might be the largest software update the world has ever seen," Ludwig told the crowd of hackers in Las Vegas, adding that this will be a teaching moment. "We don't know what happens in a software ecosystem where everything is different. This hasn't happened before."
The encouraging news, Ludwig said, is that users running Ice Cream sandwich or later should be safe already thanks to some code that mitigates exploits while the code is being fixed. This news came after about 45 minutes of the Google lead engineer cheerleading Android's unique security features. The team is working hard to make sure nothing like this happens again, but like Ludwig said, it's tough when you're running an open software platform that's used by 950 million people.
That said, the state of the union for Android is strong, says Ludwig. Right after that, he sort of said that he has to say that because that's just what you say at a state of the union address. It would have been pretty funny if he'd said the state of the union was fucked though. Because damn, this messaging vulnerability — and that largest software update in history detail — is crazy.