Categories: Breaking NewsHackingMobileReports

88% of Android devices vulnerable due to slow patch management

Researchers probed 20,400 Android devices and found 87.7 per cent contained at least one exploitable vulnerability due to a slow patch management.

New Android vulnerabilities are discovered every day, but it looks like that, some Android vendors are very slow in applying the necessary patch to fix the security issues. Some Android vendors are only fixing vulnerabilities once a year, this is the shocking revelation of a new study made by Daniel R Thomas, Alastair R Beresford, and Andrew Rice from the Cambridge University.

The trio proved 20400 devices and found out that 87.7% if the devices contain at least one big vulnerability, ready to be exploited.

In the Security Metrics for the Android Ecosystem paper, the experts explained the vulnerabilities (11) (i.e. dynamic link loading and injection) could let malware hijacking traffic, bricking mobile devices, replacing apps, and stealing user credentials.

“The security of Android depends on the timely delivery of updates to x critical vulnerabilities. Unfortunately few devices receive prompt updates, with an overall average of 1.26 updates per year, leaving devices un-patched for long periods. We showed that the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to x critical vulnerabilities. This arises in part because the market for Android security today is like the market for lemons: there is information asymmetry between the manufacturer, who knows whether the device is currently secure and will receive updates, and the consumer, who does not. Consequently there is little incentive for manufacturers to provide updates.” states the experts.

One good think that they proposed, is the creation metric that can be used by users and regulators to check the security risk related with the Android vendors. Below the metric used in the study:

The study also highlights that Nexus is the vendor that most of all constantly update its products.

Since the study was made in UK, they were only able to evaluate mobile carriers in that country, showing that O2 US is the best in pushing over-the-air security fixes, coming after T-mobile and Orange.

The patching architecture includes network operator, device manufactures, hardware developers, Google, and open source projects.

The criticality of the patch management is known for years, and it’s not getting better, there are too many organizations in the middle before the patches arrive the end user, one solution could be that every patch is applied by Google to every device, and not being controlled by the mobile provider like it happens nowadays. In this way the entire patch management could be drastically improved providing more security for every Android owner.

About the Author Elsio Pinto

Elsio Pinto (@high54security) is at the moment the Lead McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog McAfee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog http://high54security.blogspot.com/

Edited by Pierluigi Paganini

(Security Affairs – patch management, Android)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.