Android Security Report: 29 Percent of Active Devices Not Up To Patch Levels

Google released its annual Android Security Report, a state of the union on the Android ecosystem.

Last year was a landmark time for Android security. Google dealt with a major vulnerability in Stagefright, launched a monthly patch release and vulnerability rewards program, and continued to chip away at the number of malicious applications that find their way onto devices.

Given all of that progress, however, Google still struggles with the economics of an ecosystem that undermines some of its security efforts.

Patches for OS, kernel and firmware flaws for OEM Android phones, for example, still must be implemented in new devices by manufacturers, who are also supposed to ensure that over-the-air updates are pushed to phones by the carriers. That isn’t always the case.

In its annual Android Security Report, published today, Google said that 71 percent of active Android devices are running on Android 4.4.4 and higher, the only versions supported by Google with security updates.

According to the Android developer dashboard, 33.4 percent of devices are on 4.4, or KitKat, with 40.4 percent running Lollipop or Marshmallow. That still leaves a sizeable number of Android devices running on an unsupported, out of date operating system.

The monthly update system, which was launched right alongside the Stagefright disclosures, is a regular over-the-air update for Nexus devices and patch delivery system for Google’s mobile partners. Samsung, BlackBerry and LG were among the first to promise to provide monthly updates to carriers.

“We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs,” said Adrian Ludwig, lead engineer for the Android security team in a blogpost today. “Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices.

“Despite this progress, many Android devices are still not receiving monthly updates—we are increasing our efforts to help partners update more devices in a timely manner,” Ludwig said.

The Android Security Report is a state of the union address from Google on the provider’s mobile ecosystem. In it, Google trumpets news security features introduced into Marshmallow such as full disk encryption and encryption of data on SD cards, greater ability to manage app permissions, a verified boot that ensures OS security from the bootloader up, and the inclusion of the Android security patch level, an instant barometer of a phone’s patch levels.

Google said it continues to knock down what it calls potentially harmful applications, with growing success in keeping malicious apps out of Google Play (0.15 percent of devices, compared to about 0.5 percent that install apps from third-party sources). Google also reported year-over-year fewer installations of apps from Google Play that collect device data, as well as fewer instances of syware and downloaders.

Apps from outside of Google Play, however, went up in almost all of those categories, in particular with malicious downloaders and Trojans showing up on 2.6 percent and 1 percent of devices respectively.

Ghost Push is one of those malicious downloaders, which has been public since October 2014, and last summer it spiked to 30 percent of installation attempts worldwide on Android. Google said it found more than 40,000 Ghost Push apps and more than 3.5 billion installation attempts.

The report said that Google investigated and found that a company in Southeast Asia responsible for providing OTA update infrastructure and updates to Android manufacturers and carriers was compromised.

We were able to determine that the large number of installation attempts we saw were caused by the OTA company continuously trying to install Ghost Push applications on user devices. In some instances, bugs in the application installation software caused the OTA company to try to install the same application hundreds of times onto a single device—with all but one installation attempt failing,” Google said in its report. “We are working with the OTA company to develop a better security process to scan the applications they send out to devices.”

As for Stagefright, despite the angst and a number of other related vulnerabilities, Google said it did not see or receive reports of public exploits, despite some reports of attacks being folded into active exploit kits.

“One important goal of releasing this report is to drive an informed conversation about Android security. We hope to accomplish this by providing more information about what we are doing, and what we see happening in the ecosystem,” Google’s Ludwig said. “We strongly believe that rigorous, data-driven discussion about security will help guide our efforts to make the Android ecosystem safer.”

Suggested articles

Discussion

  • BT7474 on

    Forget the waffle! There should be a Google Web Page with a database of manufacturers with their; model numbers, dates, problems solved and also their patch; versions used. Instead of misleading consumers. Since Stagefright can delete itself how does Google expect people who aren't given the correct training to know that they have been hacked? Did Google continue to tell 3rd party partners even when they knew that the 1st Stagefright Patch didn't work that the Stagefright problem has been solved? Why was a 2nd patch created to solve Stagefright when Google was stating that the 1st patch had solved the Stagefright (probably the most dangerous Trojan problem in history?
  • Old Bull Lee on

    With so many OS updates bricking the devices within a couple of years from purchase (including Google's own Nexus), users are heavily incentivized to reject updates.
  • Mike on

    So many bricking devices? Where are you getting your information from? I have never had an update "brick" my device and I do not know of a single person that has.
  • Old Bull Lee on

    Google "android update bricked phone" or similar.
  • Brandt on

    April's update bricked my Nexus 6.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.