Mobile
News
9/13/2012
09:36 AM
50%
50%

Android Warning: 50% Of Devices Need Patching

Blame carriers for slow or nonexistent patches, even as the number of new, malicious Android apps has increased 41 times since last year.

Android mobile device users beware: The volume of malware targeting Android devices, according to a new study, has increased by a factor of 41 from less than a year ago. Alarmingly, new research also finds that more than half of all Android devices sport unpatched vulnerabilities, owing to device manufacturers and carriers failing to issue timely patches for devices that consumers have already purchased.

The discovery that more than 50% of Android devices have unpatched vulnerabilities is based on findings generated by the free X-Ray For Android app, made by Duo Security, which is a startup firm that's received funding from the Defense Advanced Research Projects Agency (DARPA). "The stat is based on over 20,000 users who downloaded and ran the X-Ray mobile application on their device, and the current global distribution of Android versions," said Jon Oberheide, CTO of Duo Security, via email.

"Yes, it's a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry--carriers, device manufacturers, etc.--has performed thus far," said Oberheide in a related blog post.

[ Learn more Android app troubles. See Android App Piracy Leads Feds To Seize Websites. ]

Oberheide plans to detail his findings in full Friday at the United Summit conference in San Francisco, and said that unfortunately, the actual quantity of unpatched Android devices may actually exceed 50%. "We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally," he said.

The research from Duo Security squares with a study conducted last year by Bit9, which painstakingly calculated--since much of the related data was not easily accessible--how long it took carriers to issue updates for the top 20 smartphones on the market. Ultimately, it found that only outdated and insecure versions of the Android operating system were available for 56% of the top 20 smartphones, owing to carriers and manufacturers failing to issue timely updates.

In other words, little appears to have changed in carriers' patching practices over the past year. The security result, however, is that people who've purchased Android devices are being put at risk, because attackers can create malware that targets known vulnerabilities that are now present on millions of devices.

On a related note, as of September 2012, security firm Sophos said it's seen a 41-time increase in the number of new, malicious applications targeting Android devices, compared with all of 2011. "Interestingly, the Andr/Boxer family accounts for almost half of the newly discovered samples," said Vanja Svajcer, a principal virus researcher at SophosLabs, in a blog post. "Boxer is ... SMS toll-fraud malware, specifically targeting Eastern European markets so it does not pose a huge threat to the users in the rest of the world." Briefly, SMS toll-fraud apps make infected devices send messages to premium-rate phone numbers, thus draining a user's smartphone account and enriching attackers.

But when it comes to the malware that's actually been detected on Android devices, Svajcer said that in terms of quantity, the two most-seen infections--accounting for nearly half of all Android malware or "junkware" discovered in the wild--aren't SMS toll-fraud apps, but rather what he called "potentially unwanted applications."

"The most reported one, PJApps, is a detection for applications cracked and served through an alternative market app called 'Black Market,'" he said. "The Black Market application was, for a long time, hosted on Google Play before it was removed, indicating that the Google Play vetting policy could be improved." The second-most-detected app, meanwhile, was NewYearL, which he said is used in "applications that bundle an aggressive advertising framework, Airpush." According to the Airpush website, its Android-only ad network interfaces with 40,000 apps and 2,000 advertisers.

But which advertising networks are legitimate, which count as pushy, and which ones cross a clear privacy line by collecting excessive information on users, or break good-behavior guidelines by adding new notification bars to devices, creating dedicated desktop icons or shortcuts, or resetting default homepages to advertiser-selected sites? Answering that question today isn't always easy, although some dedicated Android adware-detection apps can help.

Google, however, now appears to be taking aim at the problem, via new advertising-related policies for developers, which the company recently distributed to all registered developers to address "ad behavior in apps."

"First, we make it clear that ads in your app must follow the same rules as the app itself," said Google. "Also, it is important to us that ads don't negatively affect the experience by deceiving consumers or using disruptive behavior such as obstructing access to apps and interfering with other ads."

Still, will the changes actually cut down on the prevalence of Android adware? "The policy change is certainly welcome and reflects our opinion that aggressive advertising degrades the user experience of the platform," said Svajcer at Sophos. But he said it remains to be seen how well Google will be able to enforce these policy changes for apps distributed via Google Play, which is Google's official app market.

A Google spokesman didn't immediately respond to an emailed request for comment about how the company plans to enforce the new ad-behavior app guidelines.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
demanade
50%
50%
demanade,
User Rank: Apprentice
2/25/2013 | 2:27:26 PM
re: Android Warning: 50% Of Devices Need Patching
So the solely reaction would be for Google to produce patches that users will transfer and apply, regardless however unpunctual and inept the carrier is.
get your ex back
50%
50%
get your ex back,
User Rank: Apprentice
2/25/2013 | 2:18:54 PM
re: Android Warning: 50% Of Devices Need Patching
Respectively disagree on the "patch" front. in spite of whether or not individuals area unit downloading faux apps or obtaining emailed viruses, those apps area unit exploiting well-known vulnerabilities that haven't been patched--or mounted, if you like--in several cases as a result of device makers and distributors are not supply updates to recent versions of the humanoid package that do have patches for the better-known vulnerabilities.
Messany
50%
50%
Messany,
User Rank: Apprentice
9/16/2012 | 4:27:43 PM
re: Android Warning: 50% Of Devices Need Patching
I think many - if not most - concerns about mobile privacy/security are blown out of proportion. The biggest concerns are are hackers going after big banks, financial institutions, and other places where sensitive personal information can be found. I don't worry so much about mobile ad networks. Airpush's new SDK, for example, was actually planned to coincide with the updated Google Developer Policy - that's in addition to following guidelines from security firm Lookout. So airpush has done itself, its users, and its industry a huge favor by being responsible for its actions in a really positive way.
AustinIT
50%
50%
AustinIT,
User Rank: Apprentice
9/14/2012 | 12:42:45 PM
re: Android Warning: 50% Of Devices Need Patching
The mobile phone industry is ripe for the picking... so to speak. They need a patch model similar to how it is done for PCs. Something has to be done because the carriers do not want the responsibility and cost associated with maintaining users devices in a current and patched state. Google doesn't want to do it for the same reasons. And, since anti-malware tools are more or less non-existant for mobile phones, you have a gold mine sitting out there with no defenses.

Even with the level of control that Apple has, it is no wonder they don't want to implement NFC in their devices. Smart move on their part for now.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
9/14/2012 | 11:28:33 AM
re: Android Warning: 50% Of Devices Need Patching
That has nothing to do with open source or closed source. The carriers insist on having full control over what runs on the devices on their networks. That is no longer open source. If it was true open source then users could get the patches from Google and apply them.
moarsauce123
50%
50%
moarsauce123,
User Rank: Ninja
9/14/2012 | 11:27:04 AM
re: Android Warning: 50% Of Devices Need Patching
So the only reaction would be for Google to provide patches that users can download and apply, regardless how tardy and inept the carrier is.
Number 6
50%
50%
Number 6,
User Rank: Moderator
9/13/2012 | 7:20:06 PM
re: Android Warning: 50% Of Devices Need Patching
The carriers are the roadblock. A few well-placed lawsuits for damages will put an end to that. Can you hear me now, Verizon and AT&T?
Mathew
50%
50%
Mathew,
User Rank: Moderator
9/13/2012 | 4:28:51 PM
re: Android Warning: 50% Of Devices Need Patching
Respectively disagree on the "patch" front. Regardless of whether people are downloading fake apps or getting emailed viruses, those apps are exploiting well-known vulnerabilities that haven't been patched--or fixed, if you like--in many cases because device manufacturers and distributors aren't issuing updates to recent versions of the Android operating system that do have patches for the known vulnerabilities.
ukjb
50%
50%
ukjb,
User Rank: Strategist
9/13/2012 | 4:07:36 PM
re: Android Warning: 50% Of Devices Need Patching
you can't patch stupid. most android "viruses" are people downloading fake apps.
dbtinc
50%
50%
dbtinc,
User Rank: Apprentice
9/13/2012 | 3:18:19 PM
re: Android Warning: 50% Of Devices Need Patching
This remains a problem for "open source" software. While I like my Android smartphones, I give the edge to the iPhone for maintenance.
InformationWeek Elite 100
InformationWeek Elite 100
Our data shows these innovators using digital technology in two key areas: providing better products and cutting costs. Almost half of them expect to introduce a new IT-led product this year, and 46% are using technology to make business processes more efficient.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Nov. 10, 2014
Just 30% of respondents to our new survey say their companies are very or extremely effective at identifying critical data and analyzing it to make decisions, down from 42% in 2013. What gives?
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.