Last year computer security experts shed some light on a vulnerability in Android dubbed Stagefright that could allow an attacker to perform actions on a user’s device through remote code execution. The vulnerability affected all Android devices on Froyo 2.2 and above, which led to several major carriers and SMS apps like Textra patching and releasing fixes to attempt to null the impact of such a widespread vulnerability.
At an RSA security conference held in San Francisco, director of Android security Adrian Ludwig said that despite 95% of Android devices being at risk for attack, there were no confirmed cases of infection via the exploit.
If you’re questioning how Ludwig and Google can know that, Ludwig explained that due to Google’s Verify Apps malware detection, they’re able to spot malicious apps installed on the more than 1.4 billion devices with Google Play Services enabled. It’s worth noting that doesn’t account for millions of devices from Chinese manufacturers and Amazon’s bevy of Android devices, as those don’t have GSP on the device.
Ludwig says that most of the malware on Android isn’t as complex as would require an actual Stagefright exploit to be. Most malware originates as an app that installs other apps in the background.
“Most of the abuse we get isn’t interesting from a security perspective. We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps.”
Despite Ludwig’s claims of no confirmed infections, Stagefright is the reason we get those monthly security updates from Google that seem to turn into quarterly security updates in the hands of other manufacturers.