LAS VEGAS–Google is changing the way that it updates its Nexus Android phones and will now send out monthly over-the-air updates to users. The first update is being pushed out today, and the company said that other Android handset manufacturers are planning to follow suit and provide monthly updates to carriers.

The moves are a welcome change for Android users who are at the mercy of carriers for patches and other software updates. Individual carriers are responsible for sending out their own Android patches, and security researchers have been critical of the carriers in the past for being slow to do so–or for not patching at all. The change from Google, LG, and Samsung comes a week after the disclosure of a serious vulnerability in Stagefright, a component of Android that handles media playback.

That bug, discovered by researcher Joshua Drake of Zimperium, enables an attacker to gain control of a target device by sending a specially crafted malicious MMS message to it. Google has been aware of the vulnerability for several months and is pushing out the patch for it to Nexus users today. In a talk at the Black Hat conference here Wednesday, Adrian Ludwig, lead engineer for Android security at Google, said the company plans more frequent updates for Nexus users and for other handset makers.

“From this week on, Nexus devices will receive regular OTA updates each month focused on security, in addition to the usual platform updates. The first security update of this kind began rolling out today, Wednesday August 5th, to Nexus 4, Nexus 5, Nexus 6, Nexus 7, Nexus 9, Nexus 10, and Nexus Player. This security update contains fixes for issues in bulletins provided to partners through July 2015, including fixes for the libStageFright issues,” Ludwig wrote in a blog post explaining the changes.

The shift to monthly updates gives Nexus users a better chance of being safe from emerging vulnerabilities and attacks. But customers who use other handsets still have to rely on their carriers to actually push out the patches that the manufacturers provide. Both LG and Samsung, two of the larger Android manufacturers, have committed to getting those updates to carriers more quickly.

“With the recent security issues, we have been rethinking the approach to getting security updates to our devices in a more timely manner. Since software is constantly exploited in new ways, developing a fast response process to deliver security patches to our devices is critical to keep them protected. We believe that this new process will vastly improve the security of our devices and will aim to provide the best mobile experience possible for our users.” said Dong Jin Koh, executive vice president and head of Mobile Research and Development Office, IT & Mobile Communications at Samsung.

 

Categories: Black Hat, Mobile Security, Vulnerabilities