So you might have heard about the Stagefright vulnerability that was published yesterday. While there's no evidence of a widely-used hack, the potential for malicious MMS attacks via Android's built-in media handling system (which could theoretically affect the majority of Android devices currently in operation) is certainly cause for concern. As reported on our original post, Google has known about the vulnerability since April and has been working on patches to fix the problem.
We've received a statement attributed to a Google spokesperson [emphasis ours]:
This vulnerability was identified in a laboratory setting on older Android devices, and as far as we know, no one has been affected. As soon as we were made aware of the vulnerability we took immediate action and sent a fix to our partners to protect users...
As part of a regularly scheduled security update, we plan to push further safeguards to Nexus devices starting next week. And, we'll be releasing it in open source when the details are made public by the researcher at BlackHat.
So, Nexus devices (hopefully including those that haven't been updated to Android 5.1) will begin to be patched next week. Of course that still leaves the vast majority of Android phones vulnerable to the exploit, but Google has shared its continuing research with device makers and will make at least some of its solutions open source. CyanogenMod has already started issuing patches for the latest builds.
Once the details of the exploit are more thoroughly published, it will be a call to arms to Android device manufacturers (who don't have the best collective record for speedy updates) to make their products safe in a timely manner. BlackHat begins next week in Las Vegas.