Google: Android malware is a minor issue, but patching remains a weak spot

Google has released its Android Security Annual Report detailing its and the ecosystems security achievements and shortcomings during 2015.

The headline figure in Google’s second annual Android security report is that malware was installed on fewer than 0.15 percent of devices that only install apps from Google Play, meaning no change from last year’s first Android security annual report.

The report canvasses a number of major changes Google has implemented over the past year to improve Android security and its responses to malware threats.

Google hopes the report will “drive an informed conversation” about Android security as it attempts to address challenges in distributing security updates to a highly fragmented ecosystem. As it notes in the report, there are now 60,000 unique device models that make up the Android ecosystem.

While device fragmentation may add to the complexity of patching Android devices, Google argues that this diversity also “provides a naturally occurring defense against simple widespread exploitation, and has made it more difficult for attackers to be successful against the platform as a whole.”

The open source software has also allowed Android partners to bring their own improvements, such as Samsung’s KNOX, and Blackberry’s new PRIV Android devices, which Google points to as examples of third-parties improving Android security.

On the other hand, Google acknowledged ongoing problems ensuring patches it releases make it through device makers and carriers to end-users.

Last year saw the introduction Google’s monthly security update program for Nexus devices. Samsung, LG and Blackberry have followed suit but there are still thousands of devices from dozens of manufacturers that don’t receive regular security updates.

According to Google, “hundreds of unique” devices have been updated more regularly as a result, but it concedes many of the 60,000 models are still not receiving regular updates.

Google said it is boosting efforts to help Android partners update devices in a timely manner.

Google last year also introduced public security bulletins for Android and launched the Android Vulnerability Rewards program in June last year.

The company said it awarded researchers $210,161 for 114 bugs submitted to the program, covering 30 critical flaws, 34 high severity issues, 34 moderate bugs, and 16 low severity issues.

The rewards program had a massive impact on Android patching, with critical bugs reported through the bounty program over a sic month period amounting to half of the critical bugs patched for the entire year.

In 2015, Google released a total of 172 patches for Android, including fixes for 69 critical, 54 high, 34 moderate, and 16 low severity fixes.

Google more than doubled the number of patches it provided in 2015 compared with 2014 when it provided patches just 79 bugs. It noted in the report that the biggest factor behind the increased number of patches was the rewards program.

Still, a major weakness in the Android ecosystem is getting device makers and carriers to deliver patches that Google provides.

Google said it provides security patches to manufacturers for Android 4.4.4 (KitKat) and higher.

According to Google, 70.8 percent of all active Android devices are on a version that it support with patches.

The question with Android remains whether Android handset makers and mobile network operators actually deliver those updates to end users. Previous studies suggest that few devices actually receive security updates from carriers and handset makers.

Participate in this short survey on IT security strategies across the Australian market and go in the draw to WIN a 360Fly camera vailued at $689.

Start survey NOW

Tags malwareGooglelgsamsungbugspatchingnexuspatchesAndroid securitybugs and security failuresBug bountySamsung KnoxAndroid devicesAndroid KitKatBlackBerry Priv

Show Comments