LAS VEGAS—Google and its Android partners on Wednesday started distributing a fix for a vulnerability that could cause millions of phones to execute malicious code when they’re sent a malformed text message or the user is lured to a malicious website.

The flaw in an Android code library known as Stagefright was disclosed last week, several months after security researchers privately reported it to engineers responsible for Google’s Android operating system. Google engineers, in turn, have introduced changes to the Android text messaging app Messenger. The changes mitigate the threat by requiring users to click on videos before playing them.

Google began pushing out the updated app and other unspecified safeguards to Nexus devices and will be releasing them in open source later in the day, once full vulnerability details are disclosed. Google already sent the fix to hardware partners, and according to the Android Police news site, both Sprint and Samsung have started pushing out the updates. Updated handsets include the Nexus 5 and Nexus 6, the Galaxy S5, S6, S6 Edge, and Note Edge, the HTC One M7, One M8, One M9; LG Electronics G2, G3, G4; Sony Xperia Z2, Xperia Z3, Xperia Z4, Xperia Z3 Compact; and the Android One.

Read 3 remaining paragraphs | Comments


Google pushes fixes for critical code-execution bug in Android