On Thursday, September 12, Duo Security, a young-but-respected vendor of two-factor authentication devices, announced the preliminary results of a study of over 20,000 Android devices from a two month old study they performed. Based on the results, they calculated that over half of Android devices on the market have security vulnerabilities that are, as yet, unpatched. The full announcement can be read on their blog at Early Results from X-Ray: Over 50% of Android Devices are Vulnerable.
Duo Security's report is interesting, because it highlights a problem that's fundamentally not due to any weakness in Android, but rather its success. In four years' time, Google's Android operating system has gone from having no presence at all (0%) to a 68.1% share of the smartphone market (source: IDC), taking away market share from Apple, BlackBerry, Microsoft, Nokia and other developers of smartphone operating systems. One of the reasons for that growth curve is because the cost to manufacturers for using Android is much lower than for competing operating systems—most of the operating system's source code, the actual instructions on how it works, can be had for free, making it far less expensive for manufacturers to create devices such as smartphones and tablets using it.
This low cost of entry leads to multiple entrants in the smartphone (and, more recently, tablet) space, including Asus, Lenovo, LG, Motorola, Samsung and Toshiba, to name a few. Each manufacturer creates devices they think will be best for the market, choosing to add—and sometimes, remove or replace—features from the base operating system. And those smartphones are, in turn, further customized by carriers such as AT&T, Bell, Rogers, Sprint, T-Mobile, Vodafone, Verizon and so forth. Which leads us to the real problem the Android platform has: Fragmentation.
Because there are so many different Android devices out there with such varying hardware, each one ends up with an Android operating system and default set of applications which are slightly different from each other device, and further vary based on the carrier network for the device. In case you're wondering how many that is, one organization identified just under 3,997 different devices as of mid-2012 (source: Android Fragmentation Visualized, Staircase 3, Inc.).
Unlike desktop operating systems, which are designed to be updated by the user, or smartphones from Apple, which are updated by the manufacturer, but have little to no difference between carriers, this outpouring of Android archetypes makes it difficult for manufacturers and carriers to provide security updates; as in this increasingly competitive market they are more focused on fixing any major problems that are noticed by consumers (short battery life, poor reception, crashes and data loss, etc.) and getting the next device out before their rivals, as opposed to providing a sustained upgrade experience, including security updates, with their current devices. Part of the problem is the cost of testing and deploying updates; it's expensive to do so, and if a mistake is made, a device could be "bricked," e.g., rendered inoperable until reset by the factory.
Does this mean that Android is doomed to be plagued by gaping security holes? For the time being, no, and here's why: Manufacturers and carriers recognize this is a problem, and some have now begun to factor maintenance costs for upgrades into their device life-cycles. Also, the Android community of users itself has come to the rescue, with hobbyists pooling together to create "unofficial" updates for Android devices; ones which include security fixes and updates not provided by the manufacturer. They often perform better than the "stock" operating systems and applications provided at the time of purchase.
The success of Android does mean that criminals are beginning to take notice of it as well and look for ways to take advantage of this new platform. At ESET, only a small fraction of the malware we see on a daily basis is for Android, and almost all of that is either from third-party app stores or actually from PCs, not Android devices, sharing infected apps on peer-to-peer networks. Yesterday, ESET Researcher Pierre-Marc Bureau wrote about one criminal gang looking to monetize the Android platform here in ESET Threat Blog. See Dancing Penguins A Case of Organized Android Pay Per Install for his article.
So, what can a consumer do to keep their Android smartphone or tablet safe from digital intruders? Here are four guidelines to keeping your device safe and secure:
- If you are in the market for a new Android smartphone, find out how long it will be supported by the carrier and the manufacturer, and what their track record is for providing updates. In the United States, phone contracts typically run for one or two years, so a commitment of 18-24 months of updates is a good sign.
- Stick to your device's official market for apps. In most cases, that's Google Play, but may also be a store hosted by either the carrier or the device manufacturer. If you choose to install software from another source, make sure it is trusted, reputable company.
- Stay away from pirated software. Popular commercial apps are often cracked and offered for free in third-party app stores or on file-sharing networks. However, they are usually combined with some form of malware. As a rule of thumb, the more popular and well-known the pirated app, the more likely it contains malicious code.
- If you have not already done so, consider installing an anti-malware program like ESET Mobile Security on your smartphone or tablet to protect it from malware and theft.
No popular operating system is going to be free of threats; by their very nature, they are going to be targeted. But that doesn't mean you have to be a victim: With a small amount of caution, education and security software on your side, you can easily manage—and, in fact, greatly reduce— the risk of becoming a statistic in a vulnerability study for your platform of choice.
Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher