Google: Android malware is a minor issue, but patching remains a weak spot

Google has released its Android Security Annual Report detailing its and the ecosystems security achievements and shortcomings during 2015.

The headline figure in Google’s second annual Android security report is that malware was installed on fewer than 0.15 percent of devices that only install apps from Google Play, meaning no change from last year’s first Android security annual report.

The report canvasses a number of major changes Google has implemented over the past year to improve Android security and its responses to malware threats.

Google hopes the report will “drive an informed conversation” about Android security as it attempts to address challenges in distributing security updates to a highly fragmented ecosystem. As it notes in the report, there are now 60,000 unique device models that make up the Android ecosystem.

While device fragmentation may add to the complexity of patching Android devices, Google argues that this diversity also “provides a naturally occurring defense against simple widespread exploitation, and has made it more difficult for attackers to be successful against the platform as a whole.”

The open source software has also allowed Android partners to bring their own improvements, such as Samsung’s KNOX, and Blackberry’s new PRIV Android devices, which Google points to as examples of third-parties improving Android security.

On the other hand, Google acknowledged ongoing problems ensuring patches it releases make it through device makers and carriers to end-users.

Last year saw the introduction Google’s monthly security update program for Nexus devices. Samsung, LG and Blackberry have followed suit but there are still thousands of devices from dozens of manufacturers that don’t receive regular security updates.

According to Google, “hundreds of unique” devices have been updated more regularly as a result, but it concedes many of the 60,000 models are still not receiving regular updates.

Google said it is boosting efforts to help Android partners update devices in a timely manner.

Google last year also introduced public security bulletins for Android and launched the Android Vulnerability Rewards program in June last year.

The company said it awarded researchers $210,161 for 114 bugs submitted to the program, covering 30 critical flaws, 34 high severity issues, 34 moderate bugs, and 16 low severity issues.

The rewards program had a massive impact on Android patching, with critical bugs reported through the bounty program over a sic month period amounting to half of the critical bugs patched for the entire year.

In 2015, Google released a total of 172 patches for Android, including fixes for 69 critical, 54 high, 34 moderate, and 16 low severity fixes.

Google more than doubled the number of patches it provided in 2015 compared with 2014 when it provided patches just 79 bugs. It noted in the report that the biggest factor behind the increased number of patches was the rewards program.

Still, a major weakness in the Android ecosystem is getting device makers and carriers to deliver patches that Google provides.

Google said it provides security patches to manufacturers for Android 4.4.4 (KitKat) and higher.

According to Google, 70.8 percent of all active Android devices are on a version that it support with patches.

The question with Android remains whether Android handset makers and mobile network operators actually deliver those updates to end users. Previous studies suggest that few devices actually receive security updates from carriers and handset makers.

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesAndroid devicesBlackBerry PrivAndroid KitKatlgpatchingBug bountyAndroid securitybugsmalwareSamsung KnoxsamsungGooglebugs and security failuresnexus

More about GoogleLGSamsung

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place