Google bust out the data to prove doubters wrong about the quality of Android security.
But, according to its second-ever yearly Android security report, issued Tuesday, as many as 420 million active devices are not supported by its patches, leaving a large number open to possible attack.
According to Google’s data, nearly 30 per cent of all active Android phones and tablets (of which there are 1.4 billion at last count) are on a version that do not receive patches. Anyone running an Android version below 4.4.4 does not currently receive security updates from the tech titan. Google, for obvious reasons, recommends users run the most up-to-date operating system. But there’s some good news: even the most high-profile vulnerabilities don’t seem to have been exploited by hackers. Despite the widespread concern around the Stagefright vulnerabilities, which affected nearly 1 billion phones, no successful exploits were ever reported.
And few devices, according to Google’s data, ever get infected with malware. Google claimed fewer than one per cent of devices (roughly 14 million) running the world’s most popular operating system had a Potentially Harmful Application (the company’s term for apps that exhibit some kind of malicious or irksome behaviour) installed during 2015. That’s as long as they were running Google Mobile Services — a collection of Google apps and tools that partners like Samsung or HTC can run by default if they so choose.
The most troublesome malware in 2015 was Ghost Push, which masqueraded as a legitimate app and attempted to install more malware once on an Android device by first rooting the phone. Google found more than 40,000 apps formed that part of the Ghost Push family, both within and outside the Google Play Store. It logged more than 3.5 billion installation attempts for the malicious apps, but the report claimed the number of affected devices was around the four million mark.
Google security improvements
The Mountain View giant has been pushing hard on security, following criticism of both its policies on Google Play admission and the dangers inherent in the fragmented Android ecosystem, where patching of vulnerabilities is mixed at best. In the last year, the Android security team, led by Adrian Ludwig, announced monthly security releases, a bug bounty programme with awards of up to $38,000 per vulnerability, and a promise to warn app developers when their software contained a concerning weakness. Of all patches issued last year, 42 per cent of the Critical, 22 per cent of the High and nine per cent of the Moderate flaws were found by Google staff, which includes the Project Zero elite team dedicated to finding previously-unknown vulnerabilities.
Overall, Google handed out $210,161 in Android bug bounties in 2015 (it only launched the Android-specific programme in July) for 30 Critical, 34 High, 8 Moderate and 33 Low severity issues (usually Low rated bugs are not rewarded). Google also claimed to have improved the security in more than 100,000 applications through its warning system.
And it said in 2015 alone it had carried out 400 million automatic security scans per day on devices running Google Mobile Services. Google didn’t report back on any attacks that didn’t use malware, such as man-in-the-middle snooping on phones over networks or in-memory hacks. Acquiring intelligence on such attacks might be tricky, given their surreptitious nature.