A new, free app dubbed X-Ray For Android, released this week by Duo Security, aims to help Android users answer that question.
"X-Ray is a mobile application [we] developed ... that allows users to scan their Android device for unpatched vulnerabilities that may be exploitable by malicious apps," said Android security researcher Jon Oberheide, CTO of Duo Security, via email.
Unlike antivirus software, X-Ray isn't designed to compare the signatures of apps installed on a device with a list of suspicious applications. Instead, the app looks for the presence of "all of the major privilege escalation vulnerabilities that have affected the Android platform since its inception," said Oberheide. "Mobile malware authors have capitalized on the fact that such vulnerabilities go unpatched for many months due to conservative carrier patching practices."
[ Android is getting more secure--but only if it's patched. See Android Hacker: Jelly Bean Tougher To Crack. ]
The X-Ray app won't protect users from any escalation vulnerabilities it detects, but with luck, it will pressure carriers into getting serious about patching their Android devices. "We hope that X-Ray will raise user awareness about the security of their mobile devices and put pressure on carriers to step up their game when it comes to patching their users' devices," said Oberheide. To that end, the X-Ray software also collects statistics about the vulnerabilities found on a given device to help Duo Security track how many vulnerable Android devices are at large, both by manufacturer and device.
What's the risk from escalation vulnerabilities? "Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system," according to an X-Ray overview published by Duo. Such vulnerabilities haven't just been found in the core Google operating system, but also in many of the Android "skins" or customizations developed by handset makers and added to their Android distributions before smartphones get shipped to subscribers. "Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old," according to Duo Security.
Indeed, according to a research conducted last year by Bit9, 56% of the top 20 Android smartphones were running outdated software, thus leaving them open to attack by malware exploiting known vulnerabilities. The worst offender was Samsung, which took 316 days to patch its Galaxy Mini smartphone after Google released an Android update. Meanwhile, the fastest update--a Droid X patch from Motorola --still required 141 days to be released.
Many security experts blame the patching delay on economics: once carriers sell a phone to a consumer, they're under no obligation to keep it updated. Furthermore, carriers stand to make more money by having customers refresh their handsets to get the latest version of Android, rather than getting it for free by having the vendor patch older devices.
Still, another part of the patch-delay problem can be traced to the Android codebase itself, which remains a patchwork of not just Google code, but functionality from third parties as well. "Google may be in charge of the base Android Open Source Project, but a typical device includes many different packages, drivers, and customizations from carriers, manufacturers, and other third parties, not to mention all the open source components--Linux kernel, WebKit, libraries--owned by various project maintainers," according to Duo Security.