The slow distribution of security updates coupled with the version fragmentation is the Achilles heel of the Android ecosystem, according to many security researchers. All software has bugs, but a developer's ability to create and distribute patches quickly plays a critical role in limiting the impact of potential vulnerabilities.
Researchers expect to find more vulnerabilities in Android's multimedia processing components, especially because they're designed to parse input from untrusted sources.
Vulnerabilities often stem from applications behaving abnormally when receiving unexpected input, so programs that process files naturally have been more likely to have vulnerabilities. Media libraries and frameworks fall into this category because video and audio files are complex and take a lot of processing. They can have various metadata, encoding, formatting and containers, providing many opportunities for malformed input.
"Further research into Android -- especially the mediaserver service -- may find other vulnerabilities that could have more serious consequences to users, including remote code execution," the Trend Micro researchers said.
Joshua Drake, a security researcher who recently found critical vulnerabilities in Android's Stagefright multimedia framework, described the component's code as "not very mature" and its security flaws as "beginner-ish."
Sign up for CIO Asia eNewsletters.