Blame carriers for slow or nonexistent patches, even as the number of new, malicious Android apps has increased 41 times since last year.
Android mobile device users beware: The volume of malware targeting Android devices, according to a new study, has increased by a factor of 41 from less than a year ago. Alarmingly, new research also finds that more than half of all Android devices sport unpatched vulnerabilities, owing to device manufacturers and carriers failing to issue timely patches for devices that consumers have already purchased.
The discovery that more than 50% of Android devices have unpatched vulnerabilities is based on findings generated by the free X-Ray For Android app, made by Duo Security, which is a startup firm that's received funding from the Defense Advanced Research Projects Agency (DARPA). "The stat is based on over 20,000 users who downloaded and ran the X-Ray mobile application on their device, and the current global distribution of Android versions," said Jon Oberheide, CTO of Duo Security, via email.
"Yes, it's a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry--carriers, device manufacturers, etc.--has performed thus far," said Oberheide in a related blog post.
Oberheide plans to detail his findings in full Friday at the United Summit conference in San Francisco, and said that unfortunately, the actual quantity of unpatched Android devices may actually exceed 50%. "We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally," he said.
The research from Duo Security squares with a study conducted last year by Bit9, which painstakingly calculated--since much of the related data was not easily accessible--how long it took carriers to issue updates for the top 20 smartphones on the market. Ultimately, it found that only outdated and insecure versions of the Android operating system were available for 56% of the top 20 smartphones, owing to carriers and manufacturers failing to issue timely updates.
In other words, little appears to have changed in carriers' patching practices over the past year. The security result, however, is that people who've purchased Android devices are being put at risk, because attackers can create malware that targets known vulnerabilities that are now present on millions of devices.
On a related note, as of September 2012, security firm Sophos said it's seen a 41-time increase in the number of new, malicious applications targeting Android devices, compared with all of 2011. "Interestingly, the Andr/Boxer family accounts for almost half of the newly discovered samples," said Vanja Svajcer, a principal virus researcher at SophosLabs, in a blog post. "Boxer is ... SMS toll-fraud malware, specifically targeting Eastern European markets so it does not pose a huge threat to the users in the rest of the world." Briefly, SMS toll-fraud apps make infected devices send messages to premium-rate phone numbers, thus draining a user's smartphone account and enriching attackers.
But when it comes to the malware that's actually been detected on Android devices, Svajcer said that in terms of quantity, the two most-seen infections--accounting for nearly half of all Android malware or "junkware" discovered in the wild--aren't SMS toll-fraud apps, but rather what he called "potentially unwanted applications."
"The most reported one, PJApps, is a detection for applications cracked and served through an alternative market app called 'Black Market,'" he said. "The Black Market application was, for a long time, hosted on Google Play before it was removed, indicating that the Google Play vetting policy could be improved." The second-most-detected app, meanwhile, was NewYearL, which he said is used in "applications that bundle an aggressive advertising framework, Airpush." According to the Airpush website, its Android-only ad network interfaces with 40,000 apps and 2,000 advertisers.
But which advertising networks are legitimate, which count as pushy, and which ones cross a clear privacy line by collecting excessive information on users, or break good-behavior guidelines by adding new notification bars to devices, creating dedicated desktop icons or shortcuts, or resetting default homepages to advertiser-selected sites? Answering that question today isn't always easy, although some dedicated Android adware-detection apps can help.
"First, we make it clear that ads in your app must follow the same rules as the app itself," said Google. "Also, it is important to us that ads don't negatively affect the experience by deceiving consumers or using disruptive behavior such as obstructing access to apps and interfering with other ads."
Still, will the changes actually cut down on the prevalence of Android adware? "The policy change is certainly welcome and reflects our opinion that aggressive advertising degrades the user experience of the platform," said Svajcer at Sophos. But he said it remains to be seen how well Google will be able to enforce these policy changes for apps distributed via Google Play, which is Google's official app market.
A Google spokesman didn't immediately respond to an emailed request for comment about how the company plans to enforce the new ad-behavior app guidelines.
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.