Cambridge University study finds 87 percent of Android devices vulnerable to attack

The new research uncovers how far behind the Android ecosystem is with tackling security, despite all those recent pledges about monthly patches.

Android handset makers’ failure to deliver timely security updates leaves almost everyone open to attack.

That’s among the conclusions of a study from Cambridge University that sought to quantify just how bad the Android security situation had become.

To compile the data, the group of researchers published a Data Analyzer app to the Google Play Store. Along with giving a lot of people the ability to participate, it ensured that phones without Google Play services that are targeted at emerging markets weren’t calculated into the results. As a result, the team acquired data from 20,000 different Android devices, with most being from major manufacturers like Samsung, LTG, HTC, and Motorola. You can download and run the app yourself to give the team more data to work with.

The research, which was partially funded by Google, is ongoing. So you can download the app to your own Android phone to contribute.

With the data, the Cambridge group then created a score for how quickly all the major manufacturers were applying the latest security updates to their devices. The full results reveal that it isn’t a pretty picture.

vulnerable chart

Data for the research was collected from over 20,000 Android devices running the data analyzer app.

Why this matters: The Stagefright vulnerability demonstrated how quickly one security issue could threaten a ton of devices. That’s because Android updates run into a bottleneck. After Google releases a new version or security fix, the manufacturers have to incorporate it into their own split-off versions of the Android OS before spiriting it off to your device. It’s even worse with carrier-branded phones, as the carrier must also test and approve the updates before they come to you. This contrasts sharply with how updates work on iOS. Apple pushes a button, and it heads right to everyone’s iPhone.

Nexus is best, but everyone needs to elevate their game

The Cambridge team created a FUM score to compare the security provided by the different devices. As the chart indicates, Nexus devices are at the top, with LG leading the other third-party manufacturers.

fum score

The scores detail how well (or poorly) Android manufacturers are doing with securing their devices.

Even with the pledge of monthly security updates, no one besides Nexus devices scored above a five out of 10. That could change over time, but it’s too early for us to know how effective these monthly patches are, and whether or not the manufacturers will hold to this promise over the long term. Also, the monthly security patch promise doesn’t solve the bottleneck problem—outside of full-price and unlocked phones, carriers still hold the keys to when phones get updates.

Researcher Dr. Daniel Wagner summarized the core of the problem.

”Google has done a good job at mitigating many of the risks and we recommend users only install apps from Google’s Play Store since it performs additional safety checks on apps,” he said. “Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users. Phones require updates from manufacturers, and the majority of devices aren’t getting them.”

Fortunately, if you stick to Play Store apps and don't download any shady software from outside sources, you should be fine. But when it comes time to upgrade your phone, you may want to check back with the Cambridge team as part of your decision about which phone to buy.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about AppleCambridge UniversityGoogleHTCLGMotorolaSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Derek Walter

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place