Android's poor system update process is putting devices at risk
The popular Android operating system powers more than two billion devices and cybercriminals have their fingers on the pulse, with an uptick in Android ransomware kits appearing in underground markets.
Carbon Black's Param Singh says that the median price for Android ransomware is $200, whereas the price of ransomware for Windows 10 is just $10.
This is happening in parallel with the rise of smart devices, many of which will run Android operating systems at home and in the enterprise. Android phones comprise 85% of the smartphone market and cybercriminals go after the most popular platform.
The end result is the need for securing the devices in both the home and enterprise environment, Singh explains.
Google and device manufacturers are also contributing to a fragmentation of software update adoption. Singh says that even one year after Android 7.0 Nougat was released, only 17% of devices run the system. The statistics are poorer for its incremental update Android 7.1 - only 3% of devices currently run it.
“By contrast, Apple iOS 11 reached 52 per cent of Apple's smartphones in less than two months. Recent research on Android fragmentation issues disclosed that more than 1 billion Android devices have not been updated for two years, and probably never will be,” Singh explains.
Despite improvements to Google Play, device encryption, user permissions, application sandboxing and other security features, Singh says Google must tackle the software update problem otherwise malware will continue to plague devices that are not updated.
“Many smartphone users believe Android is more vulnerable simply because it is open sourced, although this is simply not true. They feel that making any software open source allows malicious hackers to see more easily how an application works. Yet open source also makes it easier for everyone else who is interested to look through code, add enhancements and report security vulnerabilities,” he says.
He believes open source software can more rapidly patch bugs, while commercial vendors have conflicting priorities. Meanwhile, attackers will continue to find and exploit bugs.
“For a successful campaign, such as the fake WhatsApp application that was on Google Play and downloaded by more than a million users, the criminals' return on investment can be enormous,” he says.
Singh does acknowledge that Android has improved since its initial release 10 years ago.
“At a recent event where security researchers competed to find and exploit vulnerabilities, there was no vulnerability reported for Google's Pixel 2 phone, compared to Apple iOS 11 which was hacked both on November 1 and November 2. With control over its hardware, one of the important security features of Pixel phones is the immediate access to latest Android OTA (over-the-air) updates,” he says.
This may well solve the slow rate of adoption for newer Android updates, he says.
Singh also recommends:
- Only using Google Play or trustworthy sources such as Amazon.
- Checking an application's reputation, user feedback, app verification and prevalence data to make an informed decision before installing it
- Paying attention to the permissions applications ask for – these may indicate malicious behaviour. “Proactive users should also enable Google Play Protect's ‘scan device for security threats' feature to detect harmful applications when downloaded and on a routine basis.”