About half of all Android phones contain at least one vulnerability that could be used to take control of the device, according to new research. Duo Security, which launched a free vulnerability scanning app for Android this summer, said their preliminary data from users shows a huge number of the devices are vulnerable to at least one of the known Android flaws.
The X-Ray app from Duo scans Android devices for a set of known vulnerabilities in a variety of the Android releases. Many of them are flaws that attackers have used in the last few months. The main issue with Android security and patches is that each carrier is responsible for pushing out new versions of the operating system to its users and they all do it on random timelines. There’s no set interval for updates and users don’t have to upgrade, so there’s a good chance that many users are running older, vulnerable versions of Android at any given time.
And that’s exactly what the data Duo collected from the 20,000 devices on which X-Ray is installed shows: There are a lot of vulnerable Android devices floating around out there.
“Since we launched X-Ray, we’ve already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary,” Jon Oberheide of Duo Security wrote in a blog post on the results.
“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far. We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.”
Android has the largest market share of any mobile platform and attackers have been targeting the OS with malicious apps, exploits for known vulnerabilities and other attacks for several years now. Unlike Apple, which releases new versions of iOS on a fairly regular basis and pushes them to all users, regardless of carrier, at the same time, each carrier that sells Android phones is responsible for getting updates to its own users. Users, of course, have the option of ignoring the updates, which would leave them vulnerable to any flaws that had been patched in a new release.
“As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years,” Oberheide said.