The discovery that more than 50% of Android devices have unpatched vulnerabilities is based on findings generated by the free X-Ray For Android app, made by Duo Security, which is a startup firm that's received funding from the Defense Advanced Research Projects Agency (DARPA). "The stat is based on over 20,000 users who downloaded and ran the X-Ray mobile application on their device, and the current global distribution of Android versions," said Jon Oberheide, CTO of Duo Security, via email.
"Yes, it's a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry--carriers, device manufacturers, etc.--has performed thus far," said Oberheide in a related blog post.
[ Learn more Android app troubles. See Android App Piracy Leads Feds To Seize Websites. ]
Oberheide plans to detail his findings in full Friday at the United Summit conference in San Francisco, and said that unfortunately, the actual quantity of unpatched Android devices may actually exceed 50%. "We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally," he said.
The research from Duo Security squares with a study conducted last year by Bit9, which painstakingly calculated--since much of the related data was not easily accessible--how long it took carriers to issue updates for the top 20 smartphones on the market. Ultimately, it found that only outdated and insecure versions of the Android operating system were available for 56% of the top 20 smartphones, owing to carriers and manufacturers failing to issue timely updates.
In other words, little appears to have changed in carriers' patching practices over the past year. The security result, however, is that people who've purchased Android devices are being put at risk, because attackers can create malware that targets known vulnerabilities that are now present on millions of devices.
On a related note, as of September 2012, security firm Sophos said it's seen a 41-time increase in the number of new, malicious applications targeting Android devices, compared with all of 2011. "Interestingly, the Andr/Boxer family accounts for almost half of the newly discovered samples," said Vanja Svajcer, a principal virus researcher at SophosLabs, in a blog post. "Boxer is ... SMS toll-fraud malware, specifically targeting Eastern European markets so it does not pose a huge threat to the users in the rest of the world." Briefly, SMS toll-fraud apps make infected devices send messages to premium-rate phone numbers, thus draining a user's smartphone account and enriching attackers.
But when it comes to the malware that's actually been detected on Android devices, Svajcer said that in terms of quantity, the two most-seen infections--accounting for nearly half of all Android malware or "junkware" discovered in the wild--aren't SMS toll-fraud apps, but rather what he called "potentially unwanted applications."
"The most reported one, PJApps, is a detection for applications cracked and served through an alternative market app called 'Black Market,'" he said. "The Black Market application was, for a long time, hosted on Google Play before it was removed, indicating that the Google Play vetting policy could be improved." The second-most-detected app, meanwhile, was NewYearL, which he said is used in "applications that bundle an aggressive advertising framework, Airpush." According to the Airpush website, its Android-only ad network interfaces with 40,000 apps and 2,000 advertisers.
But which advertising networks are legitimate, which count as pushy, and which ones cross a clear privacy line by collecting excessive information on users, or break good-behavior guidelines by adding new notification bars to devices, creating dedicated desktop icons or shortcuts, or resetting default homepages to advertiser-selected sites? Answering that question today isn't always easy, although some dedicated Android adware-detection apps can help.
Google, however, now appears to be taking aim at the problem, via new advertising-related policies for developers, which the company recently distributed to all registered developers to address "ad behavior in apps."
"First, we make it clear that ads in your app must follow the same rules as the app itself," said Google. "Also, it is important to us that ads don't negatively affect the experience by deceiving consumers or using disruptive behavior such as obstructing access to apps and interfering with other ads."
Still, will the changes actually cut down on the prevalence of Android adware? "The policy change is certainly welcome and reflects our opinion that aggressive advertising degrades the user experience of the platform," said Svajcer at Sophos. But he said it remains to be seen how well Google will be able to enforce these policy changes for apps distributed via Google Play, which is Google's official app market.
A Google spokesman didn't immediately respond to an emailed request for comment about how the company plans to enforce the new ad-behavior app guidelines.