Android patches can take months to reach end-user devices through over-the-air updates. That's because manufacturers have to first pull Google's code into their own repositories, build new firmware versions for each of their devices, test them and then work with mobile carriers to distribute the updates. Devices older than 18 months generally stop receiving updates entirely, leaving them vulnerable to newly discovered issues indefinitely.
The vulnerabilities found by Drake affect devices running Android versions 2.2 and higher, which means that there are a huge number of devices that will probably never receive patches for them.
The researcher estimates that only around 20 to 50 percent of the Android devices that are in use today will end up getting patches for the issues he found. He noted that 50 percent is wishful thinking and that he would be amazed if that happened.
In an emailed statement, Google thanked Drake for his contribution and confirmed that patches have been provided to partners.
"Most Android devices, including all newer devices, have multiple technologies that are designed to make exploitation more difficult," the company said. "Android devices also include an application sandbox designed to protect user data and other applications on the device."
What attackers can do after they exploit the vulnerabilities found by Drake can vary from device to device. Their malicious code will be executed with the privileges of the Stagefright framework, which on some devices are higher than on others. In general the attackers will get access to the microphone, camera and the external storage partition, but won't be able to install applications or access their internal data.
That said, Drake estimates that on around 50 percent of the affected devices the framework runs with system privileges, making it easy to gain root access and therefore complete control of the device. On the rest of devices, attackers would need a separate privilege escalation vulnerability to gain full access.
Since the patches for these flaws are not yet in AOSP, device manufacturers that are not Google partners don't have access to them. It also means that third-party AOSP-based firmware like CyanogenMod is still likely vulnerable.
Drake shared the patches privately with some other affected parties, including Silent Circle and Mozilla.
Silent Circle included the fixes in version 1.1.7 of PrivatOS, the Android-based firmware it developed for its Blackphone privacy-focused device.
Mozilla Firefox for Android, Windows and Mac, as well as Firefox OS were affected by the flaws because they used a forked version of Stagefright. Mozilla fixed the issues in Firefox 38, released in May.
Drake plans to present more details about the vulnerabilities along with proof-of-concept exploit code at the Black Hat Security conference on Aug. 5.
Sign up for CIO Asia eNewsletters.