Story image

Android's poor system update process is putting devices at risk

12 Dec 2017

The popular Android operating system powers more than two billion devices and cybercriminals have their fingers on the pulse, with an uptick in Android ransomware kits appearing in underground markets.

Carbon Black’s Param Singh says that the median price for Android ransomware is $200, whereas the price of ransomware for Windows 10 is just $10.

This is happening in parallel with the rise of smart devices, many of which will run Android operating systems at home and in the enterprise. Android phones comprise 85% of the smartphone market and cybercriminals go after the most popular platform.

The end result is the need for securing the devices in both the home and enterprise environment, Singh explains.

Google and device manufacturers are also contributing to a fragmentation of software update adoption. Singh says that even one year after Android 7.0 Nougat was released, only 17% of devices run the system. The statistics are poorer for its incremental update Android 7.1 - only 3% of devices currently run it.

“By contrast, Apple iOS 11 reached 52 per cent of Apple’s smartphones in less than two months. Recent research on Android fragmentation issues disclosed that more than 1 billion Android devices have not been updated for two years, and probably never will be,” Singh explains.

Despite improvements to Google Play, device encryption, user permissions, application sandboxing and other security features, Singh says Google must tackle the software update problem otherwise malware will continue to plague devices that are not updated.

“Many smartphone users believe Android is more vulnerable simply because it is open-sourced, although this is simply not true. They feel that making any software open-source allows malicious hackers to see more easily how an application works. Yet open-source also makes it easier for everyone else who is interested to look through code, add enhancements and report security vulnerabilities,” he says.

He believes open source software can more rapidly patch bugs, while commercial vendors have conflicting priorities. Meanwhile, attackers will continue to find and exploit bugs.

“For a successful campaign, such as the fake WhatsApp application that was on Google Play and downloaded by more than a million users, the criminals’ return on investment can be enormous,” he says.

Singh does acknowledge that Android has improved since its initial release 10 years ago.

“At a recent event where security researchers competed to find and exploit vulnerabilities, there was no vulnerability reported for Google’s Pixel 2 phone, compared to Apple iOS 11 which was hacked both on November 1 and November 2. With control over its hardware, one of the important security features of Pixel phones is the immediate access to latest Android OTA (over-the-air) updates,” he says.

This may well solve the slow rate of adoption for newer Android updates, he says.

Singh also recommends:

  • Only using Google Play or trustworthy sources such as Amazon.
  • Checking an application’s reputation, user feedback, app verification and prevalence data to make an informed decision before installing it
  • Paying attention to the permissions applications ask for – these may indicate malicious behaviour. “Proactive users should also enable Google Play Protect’s ‘scan device for security threats’ feature to detect harmful applications when downloaded and on a routine basis.”
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.
How blockchain could help stop video piracy in its tracks
An Australian video tech firm has successfully tested a blockchain trial that could end up being a welcome relief for video creators and the fight against video piracy.
IBM X-Force Red & Qualys introduce automated patching
IBM X-Force Red and Qualys are declaring a war on unpatched systems, and they believe automation is the answer.
Micro Focus acquires Interset to improve predictive analytics
Interset utilises user and entity behavioural analytics (UEBA) and machine learning to give security professionals what they need to execute threat detection analysis.
Raising the stakes: McAfee’s predictions for cybersecurity
Security teams and solutions will have to contend with synergistic threats, increasingly backed by artificial intelligence to avoid detection.
Exclusive: Ping Identity on security risk mitigation
“Effective security controls are measured and defined by the direct mitigation of inherent and residual risk.”