Almost nine in 10 Android devices 'vulnerable' to attack

15 October 2015, 11:47   By Justin Schamotta

A MAJORITY of Android devices are vulnerable to at least one of 11 bugs unleashed in the past five years, say scientists from the University of Cambridge.

android mobile phone
Twin Design / Shutterstock.com

In a test of 20,400 devices, they flagged 87.7% as insecure on any given day - meaning that the device's operating system wasn't patched against a selection of critical vulnerabilities.

The problem, say the team behind the study, is that handset makers are failing to deliver patches quickly enough.

"Few devices receive prompt updates, with an overall average of 1.26 updates per year," say the authors.

Bugs

The bugs included by the team include the recently discovered Towelroot exploit, which gives root access to nearly every Android device on the market. This allows potential attackers to run malware with administrative privileges,

Another security hole - Fake ID - enables malware to impersonate trusted applications without any user notification.

Vulnerabilities are difficult to stamp out, as the tiniest opportunities can be exploited by those who know what they're doing, with spectacularly harmful results.

The recent Stagefright vulnerability allowed malware to be sent in video files via MMS. This was possible because of a flaw in the "libStageFright" mechanism that helps Android process video files.

Once a phone was infected, hackers could access everything from stored media through to personal information - and around 95% of Android devices are vulnerable.

Since then a newer version has appeared, dubbed Stagefright 2.0.

This is composed of two security holes that allow attackers to take over Smartphones via an MP3 or MP4 video.

More than one billion devices are vulnerable, though Google say their Nexus Smartphones will be patched in the October update.

Those of us with other Android devices are just as reliant on the companies that manufactured them for security patches, but the researchers aren't impressed with their efforts:

"The bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities."

What's more, they say, there is currently "little incentive for manufacturers to provide updates".

Naming and shaming

The study required University of Cambridge team to develop a way to rank devices based on their overall security.

The ranking system takes into account the number of days a proportion of the devices being monitored had no known security vulnerabilities (Free), and the proportion running the latest version of Android (Update).

Then they looked at the mean number of security vulnerabilities that hadn't been fixed on any of the devices a particular manufacturer sells (Mean).

Combined, this gives what the researchers called an "FUM security metric", which operates on a scale of one to 10, with 10 being best.

Top scoring devices included Google's Nexus with 5.2 out of 10, LG with 4 out of 10, and Motorola with 3.1 out of 10.

Across the board, however, Android devices scored a feeble 2.87 out of 10.

But what about us?

While the FUM ratings are useful for those in the market for a new device, they provide little reassurance to the rest of us.

It goes without saying that we should install operating system updates and security patches as soon as they're available.

Another thing we can do to keep our phones a bit safer is to install a good security app. Free versions are offered by Avast, Norton and Symantec.

It's also good practice to check the list of permissions when installing an Android app. It may seem tedious, but simply clicking "allow all" opens us up to pretty much anything.

Mobile phone security
Our guide to keeping your mobile phone safe
Flaws found in smartphone fingerprint security

When checking permissions, look for those that seem illogical, like a request for access to email contacts when it's just not necessary - and if in doubt, cancel the download.

Another good rule of thumb is to avoid downloading apps from outside the Android market on Google Play.

This doesn't guarantee an app's safety - Google Play have worked hard to increase security and reduce the amount of malware sneaking into their marketplace, but even the previously inviolable Apple App Store has been shown to be vulnerable.

But downloading an app from somewhere else puts us at a far greater risk of downloading something containing Android malware.

Want the best deal on a new handset?

independent comparison

We are independent of all of the products and services we compare.

fair comparison

We order our comparison tables by price or feature and never by referral revenue.

charity donations

We donate at least 5% of our profits to charity, and we aim to be climate positive.

Get insider tips and the latest offers in our newsletter