The single largest software update the world has ever seen

Google, Samsung and LG have patched Stagefright and committed monthly security updates — but many more Androids are left exposed

The Zimperium security analyst that discovered Stagefright, Joshua Drake, revealed the flaw to the public in mid-July. But not before giving Google several months to write a security patch. This is normal practice in the computer security industry, so as to protect users and not to tip-off hackers. However, industry members also have a social responsibility to disclose vulnerabilities if they think the threat is great enough and the software vendor isn‘t doing enough to fix it. Fortunately, this wasn't the case. Speaking to NPR on 27 July, Drake said of when he contacted Google in April: “Within 48 hours I had an email [from Google] telling me that they had accepted all of the patches I sent them, which was great." So why did the tech giant have to wait until August to make the patch available? Of course, there was some internal beta testing to ensure the bug was completely fixed, but the larger problem was getting the patch through manufacturers and phone carriers, this was complicated and difficult. However, Google managed to surprise everyone who remembered the slow rollout of Android Lollipop. A patch wasn't just announced for Nexus devices, but Adrian Ludwig, Android's lead engineer for security, confirmed Samsung, Motorola, HTC, LG and Sony would push out patches too. “My guess is that this is the single largest software update the world has ever seen," said Adrian Ludwig, making the announcement at the Black Hat hacking conference. “Hundreds of millions of devices are going to be updated in the next few days. It's incredible." ln addition, Google, Samsung and LG have committed to monthly security updates to ensure vulnerabilities in Android are fixed faster. “Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected," said Donglin Koh, EVP of Samsung Electronics, Mobile R&D Office. “We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users." Nexus devices will continue to receive major updates for at least two years and security patches for the longer of three years from initial availability or 18 months from last sale of the device via the Google Store. At the time of writing, Samsung and LG were yet to give additional details about how and when the monthly updates will begin and for how long they will last. While the Nexus patch was made available the same day, updates to Android's most popular phones, including the Samsung Galaxy S6, HTC One M9, and LG G4, were rolled out throughout August at unprecedented speed. However, while lower-end manufacturer Alcatel OneT0uch have said they will patch their brandenew Idol 3 and Motorola have committed to patching even it's budget Moto E handset, the rest of the patches announced at time of writing only applied to flagship devices. There has been no commitment to swift patching for older models, which Zimperium claims are at even greater risk to being exploited via Stagefright.

How to install the patch
While it‘s referred to as a ‘security patch,’ your phone we-n‘t interpret it any differently from an ordinary system update. To install it, go to Settings and select System > About phone. In the new menu screen, tap System updates and then tap Check for update. Alternatively, if you would prefer to sideload the update to your Nexus yourself, rather than wait for the over-theair update, the build name is UlIlY48l.