When it comes to smartphone/mobile security, there are two types of malware.
First there is socially engineered malware. This type of malware, typically in the form of apps, works by tricking users into installing it and then proceeds to abuse access allowed by the operating system — such as apps that text premium numbers to steal money from you. While these malicious apps are annoying and should be avoided, they aren’t too sophisticated in nature and can be dealt with by educating users.
The second type is malware that exploits operating system vulnerabilities. While this type of malware may be delivered in the same way as the first type mentioned above, this type is a lot more sophisticated and operates outside the normal app boundaries set by the operating system. This type of malware is a lot more dangerous than the previous because it exploits underlying insecurities in an operating system, something that can only be fixed through a patch issued by the company that manages the smartphone, tablet, or operating system.
Duo Security, a security startup that pitches itself as providing “strong, scalable security to organizations of any size”, has released results from a project they have been working on. According to these results, over 50% of Android devices worldwide have unpatched operating system vulnerabilities.
You see Duo Security created an app called ‘X-Ray’ which scans Android devices to see if they contain any known vulnerabilities. X-Ray does not look for malicious or malware apps but rather searches for exploits existing in the Android operating system. Based on the preliminary results from over 20,000 Android devices around the world, Duo Security is reporting that over half of Android devices are vulnerable because carriers and manufacturers refuse to issue Android updates or patches on a timely basis.
(Note: Duo Security is partly funded by the US government [DARPA] but has also received funding from Google Ventures. Being a commercial entity, I’m sure it has its reasons for conducting these tests but it doesn’t appear as if they have any particular anti-Android bias.)
The last part of the above paragraph is key to note. X-Ray looks for unpatched vulnerabilities — vulnerabilities that are known and Google has fixed but require carriers and manufacturers to push out Android updates to devices. That is the big take away Duo Security is trying to drive home; the inability of carriers and manufacturers to timely issue Android updates is leaving many devices open to exploit, not necessarily that Android is a security hole ridden mobile operating system.
Of course some may argue that how did Android have these vulnerabilities in the first place; if Android didn’t have these exploits to begin with, there would no need to patch them. This is a valid point but ignores reality. No operating system or program is exploit-free, despite what some people like claim. That is why the concept of patches was born, so long ago; to fix issues not found in testing prior to release. The problem with patches, however, is they are only effective if the end user applies them. In the case of Android, many end users are not applying patches because their carriers or manufacturers aren’t providing it to them.
Now the question is what can consumers do to protect themselves. Well if you are really worried about it, you could switch to an iPhone or iPad. That is not to say iOS is a more secure operating system than Android; that is to say iDevice updates and patches are always pushed to the end consumer in a timely fashion once Apple releases them, so security issues get fixed a lot faster. If you aren’t ready to jump ship, you can commit to only purchasing Nexus devices. Nexus devices are Android devices who’s software is directly managed by Google; these devices get updates directly from Google, which significantly decreases the lag time between Android updates and devices updates. Of course there are exceptions to Nexus devices, such as how Sprint and Verizon delayed the Jelly Bean update for the CDMA Galaxy Nexus, but generally speaking you can expect a Nexus device to be timely updated. Lastly, you can read dotTech’s advice on how to safe on Android, although that article is more aimed at protecting yourself from malicious apps rather than exploitable OS vulnerabilities.
[via Duo Security, BGR]