Google on Tuesday released the second annual security report on its “toxic hellstew of vulnerabilities,” or what the rest of us know as Android.
You might recall that ZDNet’s Adrian Kingsley-Hughes bestowed this memorable and burbly description on Google’s mobile operating system two years ago, when Android device vendors were lagging in patching vulnerabilities such as Heartbleed on their devices.
Apple CEO Tim Cook loved that description. He put it on screen at Apple’s WWDC developers conference. He also put up a slide of a pie chart showing that 99% of mobile malware was on Android.
They say it got a big laugh. Oh, baby. Neither love nor money can buy you better verbiage for your company slideshow.
Jump forward a year to 2015 and Google’s first-ever Android security report.
Google must have been muttering “Who’s laughing now?” the whole time it was pulling together the review of Android security in 2014, given that it would claim, more or less, to have demolished malware.
Fewer than 1% of Android devices had any malware, Google said in the 2014 report, thanks to scanning done by a product named Verify Apps that sniffs out viruses, ransomware, or other Potentially Harmful Applications (PHAs).
Well, that’s a nifty trick, Naked Security’s Paul Ducklin noted: Google went and “solved” the malware problem by defining it out of existence.
Why fuss with all those scary-sounding subcategories – spyware, backdoor, call_fraud, sms_fraud, phishing, DDoS , ransomware, and even generic_malware - when you can just roll them all up into the much milder-sounding uber category of “potentially” harmful apps?
Nomenclature aside, even “just” 1% of devices vulnerable to PHAs – what most of us simply call “malware” – out of 1 billion Android devices still adds up to more than 10,000,000 PHA-infected Androids in the wild at any time, as Paul observed.
Jump forward another year to the most recent report, released on Tuesday, and you’ll see that Google’s still got some stew to work out thanks to the Android ecosystem, where patches are still doled out by whim from device makers and phone carriers.
In the wake of Stagefright, that nasty security hole in Android, Google and Samsung last August had launched monthly pushes of security updates.
In contrast, some phone carriers seemed stuck in the mud, bogged down by the work of wrapping their own software around Android updates: a consequence of Google leaving updates in the hands of its partners.
Google said in the most recent report that since it began the monthly security pushes, there are still “many” Android devices not receiving monthly updates. It’s going to keep pushing partners to get with the program and update devices “in a timely manner,” the company said.
Google also said that in 2015, it checked over 6 billion installed Android apps per day to protect users from PHAs. It also scanned 400 million devices per day to protect users from network-based and on-device threats.
Google also said that 70.8% of all active Android devices are running modern versions of Android that it supports with patches. Flip the number around, and you’ll find that Google said that it can’t get patches out to 29.2% of Android devices.
That unpatchable landscape maps out like this: Google said in September that there were 1.4 billion active Android devices worldwide at the time.
That translates to some 409 million unpatchable, active Androids: one big cauldron of hellstew.
Presumably, some of the 29% of untouchables can be patched at the whim of vendors. That and $4 will get you a venti latte.
And that, of course, gives you the chance to sit around in a hotspot and pray your phone maker whims you patches so you don’t pick up something nasty off the “free” Wi-Fi.
Image of Android device courtesy of Twin Design / Shutterstock.com
Divo Esposito
What a poor, unfair post, even for this author…
I know that you sell AV, but c’mon.
Mark Stockley
How is the post “unfair”?
Divo Esposito
Because the author uses offending sentences, in a way that only an Applefan could be entitled to do. Because the author seems to give random numbers, presenting in a misleading manner, so that 70% out of 1.4 billion is far from noticeable, but instead she focuses on a more than normal 30% of devices still out of reach for security updates. Because she takes for granted that all of this 30% has to be considered endangered devices, without actually having no knowledge of how they are used from a security perspective. Simply useless post.
Paul Ducklin
Amusingly (though your comment isn’t really funny), our Android anti-virus is free.
Of course, the article isn’t so much about malware as about security patches in general on Android. But then you knew that, because it says so in the headline :-)
Divo Esposito
OK Paul, so you’re working for free and this site is for your amusement. This is really funny.
Marshall Wilensky
When you add in the fact that AT&T, Samsung, and even Google have filled my phone with bloatware that I don’t want and can’t remove it’s amazing that I manage to install any Android update that finally comes my way. Eventually I’m going to have to replace the phone to stay safe.
16 GB Samsung Galaxy S4 (less than 1 GB free) with 32 GB SD card (30.5 GB free but very few apps can run from there)
Anonymous
You know that replacing the phone is what the device manufacturers really want you to do, right?
Mahhn
I call BS on google. I have a note3 that they block from being updated since I don’t have phone service. I can still use it on wifi, but updates are blocked because I don’t use it as a phone.
Laurence Marks
Find someone in your neighborhood with a good Verizon SIM? Borrow the SIM and put it in your tablet to get the updates periodically? Why not?
Mahhn
I like the idea, but wouldn’t impose on anyone.
ejhonda
This lays at the feet of the cell carriers and Google. Apple dictated their OS would remain under Apple’s control, but Google sold out and allowed the carriers to customize Android. It gave an incentive to the carriers to consider offering Android devices and helped blunt Apples early momentum in the space. Unfortunately Google’s sell-your-soul decision now haunts them as the carriers have little incentive to roll out updates to benefit their customers – the same carriers that stuff previously mentioned bloatware and disable features on these same phones to the annoyance of their customers. For the security conscious consumer, the options are now either buy your Android phone directly from Google – the Nexus line – or go iPhone. My employer is preparing to move our 100 smartphones to iPhone for this very reason.
David
How do you check 6 billion apps per day??
Anonymous
Such negatively biased comments I’m disappointed. The entire tone of this article reeks of the authors vile distaste for android that, for me, turned the whole piece into satire. I had thought I had finally found a good website for keeping updated in all things security (I’m a sonicwall reseller BTW). This article has destroyed that. The search continues. Goodbye naked security how could I trust you now.
Mahhn
cry baby, Sounds like you’re a pro at negativity:
“Such negatively biased comments” “I’m disappointed” “this article reeks” “the whole piece into satire” “This article has destroyed that” “how could I trust you now”
Anonymous
You’re absolutely right, it’s a failing article… Embarrassing how much it’s biased by Android-hater background…
Of course security could be improved at Google, but the editor’s purpose here seems just to be trolling.
phoebeann60
Largely because of all the layers of garbage between Google and me, I will be switching to Apple as soon as my carrier contract is up. I had considered a “pure” Google phone, but thanks to Mahhn, that’s now out, or at least will be another thing to check. I note that I have several Apple devices (iPhones, iPads) that update regularly without having telephone service.
Ian T
I have experimented with Cyanogen Mod on my old Android devices, spurred on by Samsung, who ungracefully ditched support early for my then ‘still good’ Galaxy S handset. Whether Cyanogen Mod is a significantly better OS from the security perspective or not seems to be a matter of opinion, however it would appear to offer a new lease of life to older handsets with no bloat and a regular update cycle on a modern Android build.
Of course I run Sophos Mobile Security on my phone as well. :-)
Paul Ducklin
I’ve got a Nexus 7 2012, for which Google quietly dropped support a year or more ago. (Latest official firmware is 5.0.1).
Your device won’t tell you it’s out of date and will never catch up…because officially it isn’t out of date :-( Would be nice if the device were honest and gave you a warning to buy a new one whenever you tried to update, on the grounds of being “abandonware” hardware.
CyanogenMod has more recent builds of Android 5 for my device (tilapia/nakasig), but good luck trying to get the proprietary parts working, like the Google Play app. (There’s also an unofficial build of Android 6, which required a fair bit of kernel modification, including various hacking of closed-source binary components. Same trouble getting the closed-source parts of Android working, of course…assuming that’s even legal, given that your Android licence is tied to a device where Android 6 and its closed-source apps have never been supported.)
Browser
There’s a big difference between “can’t” and “won’t”. Google stopped sending patches of any kind to older flagship devices (and will likely continue to do so) even though many of us out here that own them would be happy to receive only the security patches (even if we can’t get the other shiny bits). Sure… there’s “can’t” out there but there’s also a case of “won’t”.
Anonymous
It’s the carrier’s responsibility to apply the patches to their phones. I have a Nexus and it’s patched before I even learn about a patch. So you can’t turn around and blae Google. Sure they crated this model but the blame lies with the carrier. As someone said all they care about is whether you buy a new phone and in their minds fixing your old one will greatly impede on that. Google should have seen that coming though…
jkwilborn
So, the carrier is the one developing the patches? I doubt that (and hope not), so how can you blame them when it’s Google, unless they’ve modified Googles source? Like saying it’s AT&T when my iPhone get patched, it’s not.
Paul Ducklin
I think its fair to say that Google (which controls the ecosystem and sells Android to its OEM partners), and phone vendors (who re-mould Android to suit their own needs), and mobile network providers all play their part in delivering (or failing to deliver) patches.
Our Anonymous commenter here keeps weighing in to exonerate Google at all costs, amusingly by accusing the author of the article of being an Apple fanbuoy/gurl, but I don’t think that’s reasonable.
jkwilborn
It was a good article, with that many phones, it gives you an idea of the numbers.
Speaking of this, anyone know anything about Sailfish OS? A Linux OS for phones. I’ve queried them, but no answer. I’d take my Android and load a Linux variant on board in a heartbeat… Dump this no update stuff…