Nine in ten Android phones aren’t protected against major vulnerabilities
Research from the University of Cambridge has revealed that almost nine out of ten Android devices aren't protected against major security vulnerabilities. The team of researchers found that 87% of Android smartphones and tablets are vulnerable to at least one of the 11 major Android bugs revealed in the last five years, such as the recently uncovered Stagefright.
The study points the finger at device manufacturers, criticising them for not providing regular security updates to their line of Android handsets. It did however find that some manufacturers were more effective in providing security updates than others. Manufacturers were compared using FUM – a score out of ten based on the proportion of devices free from critical vulnerabilities, the proportion of devices updated to the most recent version, and the number of vulnerabilities the manufacturer has not yet fixed.
Google's line of Nexus branded devices scored 5.2 out of 10, LG scored 4 out of 10, Motorola scored 3.1 out of 10, Samsung scored 2.7 out of 10, while Sony and HTC both scored 2.5 out of 10.
"Google has done a good job at mitigating many of the risks," said researcher Dr. Alastair Beresford "We recommend users only install apps from Google's Play Store since it performs additional safety checks on apps. Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users. Phones require updates from manufacturers, and the majority of devices aren't getting them."
When Google prepares an Android software update, it distributes it to manufacturers such as such LG and Samsung. These manufacturers then have to apply the changes to their version of Android, and test for device compatibility. More often than not, each Android phone will run a slightly different version of the operating system. A Samsung Note 5 sold via Telstra will have different software than one sold via Vodafone or Optus. After these updates have been completed, they are then sent to the respective telco for testing. After the telco has finished testing it, they will then deploy the update to their customers. The testing process itself can take a number of weeks.
Because of this, some Android devices never receive software updates, said ethical hacker and director of security firm Whitehack Adrian Wood.
"The way Android handles updates like security updates is very different to Apple," Wood told CyberShack when discussing Statefright earlier in the year. "If an equivalent bug to Stagefright was found on iOS, Apple could just push an update to every iPhone and protect them within 48 hours of it being discovered. Android handles updates slightly differently. The Android source code goes out to manufacturers like Sony, Samsung and LG, and they make tweaks and play around with the code a bit and launch it out on a phone. So when a bug is found, Google can patch the Android source code and push it out to Samsung, but then Samsung has to make it work on their phones."
"If you're a person who's not buying the flagship model of a phone, you can be in a really tricky situation because the support period for Android's operating system is quite short, especially compared to Apple. You could not go to the store and buy a brand new iPhone that's out of the support period."
Following Stagefright's discovery earlier in the year, Google, Motorola, LG, and Samsung all committed to releasing monthly security updates for their Android smartphones.
The researchers at the University of Cambridge analysed data from over 20,000 Android devices. On average, an Android device receives 1.26 updates per year.