The new Android Security Report shows that 29% of Active Devices are not up to date and therefore are vulnerable to malware. IT security experts from Proofpoint, ESET, MWR Infosecurity and Tripwire provide insight into the problem:
David Jevans, VP Mobile Security, Proofpoint:
“These 400 million devices will likely never be updated, as the carriers are no longer pushing updates to older versions of Android. They are all vulnerable to attacks that allow apps to take over the device such, as the new vulnerability that was fixed by Google in March 2016.
The Google security advisory can be found here.
Consumers with Android devices with operating systems older than 4.4.4 should be extremely wary of the apps that they download. Only download highly reviewed apps that have millions of downloads and are currently available on the Google Play store.
Enterprises should not allow employees to connect to corporate email, websites or calendars from devices running Android operating systems older than 4.4.4”
Mark James, Security Specialist, ESET:
“With so many devices being held and used on a daily basis it is very scary indeed that so many are unpatched or running outdated operating systems. The public still underestimates the importance of having the latest OS and even fewer will pick their devices based on its ability to get timely updates.
With these devices being so powerful and capable of doing so much more than phone calls, it is imperative that you understand the importance of updating your device as soon as possible. Of course the problem is not always something that the end user has any control over. The long winding road that updates take to get from the author through to the end user makes it very difficult sometimes to keep your mobile up-to-date.
Always make sure you have a good regular updating internet security product installed on your device and be mindful of where you’re getting your apps from, lastly remember that nothing is free, if it looks too good to be true it often is, keeping your device as safe as possible is a multi-pronged event.”
Henry Hoggard, Security Consultant, MWR InfoSecurity:
“The notion that only 29% of Android devices are at risk is an understatement. There are serious vulnerabilities such as Stagefright [1][2], affecting Android versions 5.1 and below. Devices can be compromised by simply visiting a website, or receiving an MMS message. Privilege escalation vulnerabilities in Android 5.1 and below further exacerbate this issue. Using stats from the Android Developer Dashboard [3], we can see that at least 76% of devices would be at risk, instead of the reported 29%.
Historically, Android devices are slow to receive updates, this is due to a diverse and fragmented update process. This is an issue still apparent in Android with only a 4.6% uptake for the latest version of Android (6.*).
It is recommended that users keep their devices updated to the latest available version. Devices that receive monthly Over-The-Air Security updates as part of the Android Security Bulletin [4] will be best protected.”
[1] https://www.kb.cert.org/vuls/id/924951
[3] https://developer.android.com/about/dashboards/index.html
[4] https://source.android.com/security/bulletin/
Craig Young, Security Researcher, Tripwire:
“Android has really been stepping up its game in the last few releases with respect to security. Monthly security updates, on-device app scanning and migrating WebView updates to the Play Store have all made devices more secure but only if they are running current software. Unfortunately Android’s platform dashboard shows that there are more devices running completely unsupported software than there are devices running with the two latest (5.1 and 6.0) releases. This is definitely a big problem for Android. Patching this bug in the Android ecosystem will probably mean more rules for handset manufacturers to follow if they wish to ship devices with Google’s proprietary apps (Gmail, Maps, Play Store, etc).”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.