Last year was a landmark time for Android security. Google dealt with a major vulnerability in Stagefright, launched a monthly patch release and vulnerability rewards program, and continued to chip away at the number of malicious applications that find their way onto devices.
Given all of that progress, however, Google still struggles with the economics of an ecosystem that undermines some of its security efforts.
Patches for OS, kernel and firmware flaws for OEM Android phones, for example, still must be implemented in new devices by manufacturers, who are also supposed to ensure that over-the-air updates are pushed to phones by the carriers. That isn’t always the case.
In its annual Android Security Report, published today, Google said that 71 percent of active Android devices are running on Android 4.4.4 and higher, the only versions supported by Google with security updates.
According to the Android developer dashboard, 33.4 percent of devices are on 4.4, or KitKat, with 40.4 percent running Lollipop or Marshmallow. That still leaves a sizeable number of Android devices running on an unsupported, out of date operating system.
The monthly update system, which was launched right alongside the Stagefright disclosures, is a regular over-the-air update for Nexus devices and patch delivery system for Google’s mobile partners. Samsung, BlackBerry and LG were among the first to promise to provide monthly updates to carriers.
“We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs,” said Adrian Ludwig, lead engineer for the Android security team in a blogpost today. “Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices.
“Despite this progress, many Android devices are still not receiving monthly updates—we are increasing our efforts to help partners update more devices in a timely manner,” Ludwig said.
The Android Security Report is a state of the union address from Google on the provider’s mobile ecosystem. In it, Google trumpets news security features introduced into Marshmallow such as full disk encryption and encryption of data on SD cards, greater ability to manage app permissions, a verified boot that ensures OS security from the bootloader up, and the inclusion of the Android security patch level, an instant barometer of a phone’s patch levels.
Google said it continues to knock down what it calls potentially harmful applications, with growing success in keeping malicious apps out of Google Play (0.15 percent of devices, compared to about 0.5 percent that install apps from third-party sources). Google also reported year-over-year fewer installations of apps from Google Play that collect device data, as well as fewer instances of syware and downloaders.
Apps from outside of Google Play, however, went up in almost all of those categories, in particular with malicious downloaders and Trojans showing up on 2.6 percent and 1 percent of devices respectively.
Ghost Push is one of those malicious downloaders, which has been public since October 2014, and last summer it spiked to 30 percent of installation attempts worldwide on Android. Google said it found more than 40,000 Ghost Push apps and more than 3.5 billion installation attempts.
The report said that Google investigated and found that a company in Southeast Asia responsible for providing OTA update infrastructure and updates to Android manufacturers and carriers was compromised.
We were able to determine that the large number of installation attempts we saw were caused by the OTA company continuously trying to install Ghost Push applications on user devices. In some instances, bugs in the application installation software caused the OTA company to try to install the same application hundreds of times onto a single device—with all but one installation attempt failing,” Google said in its report. “We are working with the OTA company to develop a better security process to scan the applications they send out to devices.”
As for Stagefright, despite the angst and a number of other related vulnerabilities, Google said it did not see or receive reports of public exploits, despite some reports of attacks being folded into active exploit kits.
“One important goal of releasing this report is to drive an informed conversation about Android security. We hope to accomplish this by providing more information about what we are doing, and what we see happening in the ecosystem,” Google’s Ludwig said. “We strongly believe that rigorous, data-driven discussion about security will help guide our efforts to make the Android ecosystem safer.”