Story image

Android's poor system update process is putting devices at risk

12 Dec 2017

The popular Android operating system powers more than two billion devices and cybercriminals have their fingers on the pulse, with an uptick in Android ransomware kits appearing in underground markets.

Carbon Black’s Param Singh says that the median price for Android ransomware is $200, whereas the price of ransomware for Windows 10 is just $10.

This is happening in parallel with the rise of smart devices, many of which will run Android operating systems at home and in the enterprise. Android phones comprise 85% of the smartphone market and cybercriminals go after the most popular platform.

The end result is the need for securing the devices in both the home and enterprise environment, Singh explains.

Google and device manufacturers are also contributing to a fragmentation of software update adoption. Singh says that even one year after Android 7.0 Nougat was released, only 17% of devices run the system. The statistics are poorer for its incremental update Android 7.1 - only 3% of devices currently run it.

“By contrast, Apple iOS 11 reached 52 per cent of Apple’s smartphones in less than two months. Recent research on Android fragmentation issues disclosed that more than 1 billion Android devices have not been updated for two years, and probably never will be,” Singh explains.

Despite improvements to Google Play, device encryption, user permissions, application sandboxing and other security features, Singh says Google must tackle the software update problem otherwise malware will continue to plague devices that are not updated.

“Many smartphone users believe Android is more vulnerable simply because it is open-sourced, although this is simply not true. They feel that making any software open-source allows malicious hackers to see more easily how an application works. Yet open-source also makes it easier for everyone else who is interested to look through code, add enhancements and report security vulnerabilities,” he says.

He believes open source software can more rapidly patch bugs, while commercial vendors have conflicting priorities. Meanwhile, attackers will continue to find and exploit bugs.

“For a successful campaign, such as the fake WhatsApp application that was on Google Play and downloaded by more than a million users, the criminals’ return on investment can be enormous,” he says.

Singh does acknowledge that Android has improved since its initial release 10 years ago.

“At a recent event where security researchers competed to find and exploit vulnerabilities, there was no vulnerability reported for Google’s Pixel 2 phone, compared to Apple iOS 11 which was hacked both on November 1 and November 2. With control over its hardware, one of the important security features of Pixel phones is the immediate access to latest Android OTA (over-the-air) updates,” he says.

This may well solve the slow rate of adoption for newer Android updates, he says.

Singh also recommends:

  • Only using Google Play or trustworthy sources such as Amazon.
  • Checking an application’s reputation, user feedback, app verification and prevalence data to make an informed decision before installing it
  • Paying attention to the permissions applications ask for – these may indicate malicious behaviour. “Proactive users should also enable Google Play Protect’s ‘scan device for security threats’ feature to detect harmful applications when downloaded and on a routine basis.”
SecOps: Clear opportunities for powerful collaboration
If there’s one thing security and IT ops professionals should do this year, the words ‘team up’ should be top priority.
Interview: Culture and cloud - the battle for cybersecurity
ESET CTO Juraj Malcho talks about the importance of culture in a cybersecurity strategy and the challenges and benefits of a world in the cloud.
Enterprise cloud deployments being exploited by cybercriminals
A new report has revealed a concerning number of enterprises still believe security is the responsibility of the cloud service provider.
Ping Identity Platform updated with new CX and IT automation
The new versions improve the user and administrative experience, while also aiming to meet enterprise needs to operate quickly and purposefully.
Venafi and nCipher Security partner on machine identity protection
Cryptographic keys serve as machine identities and are the foundation of enterprise information technology systems.
Machine learning is a tool and the bad guys are using it
KPMG NZ’s CIO and ESET’s CTO spoke at a recent cybersecurity conference about how machine learning and data analytics are not to be feared, but used.
Seagate: Data trends, opportunities, and challenges at the edge
The development of edge technology and the rise of big data have brought many opportunities for data infrastructure companies to the fore.
Popular Android apps track users and violate Google's policies
Google has reportedly taken action against some of the violators.