{"id":10296,"date":"2015-10-20T09:51:48","date_gmt":"2015-10-20T13:51:48","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=10296"},"modified":"2019-11-15T07:01:12","modified_gmt":"2019-11-15T12:01:12","slug":"insecure-android-devices","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/insecure-android-devices\/10296\/","title":{"rendered":"87% of Android smartphones are insecure and that&#8217;s no joke"},"content":{"rendered":"<p>British scientists proved that Android devices are highly dangerous when it comes to you and your data. It\u2019s no joke \u2014 <a href=\"https:\/\/www.cl.cam.ac.uk\/~drt24\/papers\/spsm-scoring.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">researchers at the University of Cambridge did serious research<\/a> on the devices: analyzing over 20,000 smartphones by various vendors to discover that 87.7% of Android devices are susceptible to at least one critical vulnerability.<\/p>\n<p>This dreadful fact emerged as byproduct of a study whose goal was to reveal whose devices (speaking of vendors) were the most secure.<\/p>\n<p>The experiment was conducted with help of ordinary people and their ordinary smartphones: the participants consented to set up a special app called\u00a0<a href=\"https:\/\/play.google.com\/store\/apps\/details?id=uk.ac.cam.deviceanalyzer\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Device Analyzer<\/a> from Google Play. This application helped to find out how resistant the devices were to the most widespread attacks by sending data on what versions of software were installed on the device.<\/p>\n<p>Not all vulnerabilities were taken into consideration \u2013 just those exploitable completely wirelessly. Of those 32 were critical, but only 11 bugs that could be applied to all participating devices, were considered during the experiment to provide for fair results.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023931\/vulneruble-android-chart.jpg\"><img decoding=\"async\" class=\"aligncenter wp-image-10298 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2015\/10\/06023931\/vulneruble-android-chart.jpg\" alt=\"Android devices are insecure\" width=\"680\" height=\"400\"><\/a><\/p>\n<p>So, why do different vendors offer ranging security levels? First, it depends on whether the OS version is up-to-date; Google, Linux Foundation and other relevant Android developers issue regular updates, which include security patches for known vulnerabilities.<\/p>\n<p>The thing is that the majority of Android devices are queuing to get those updates, so it happens not that fast as it should be. It\u2019s not Google who sends the OTA updates; a carrier of an OEM vendor now performs this task and the updates are delivered as fast as the vendor likes it to be \u2013 meaning \u2018not fast at all.\u2019<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">1 Billion <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> devices vulnerable to <a href=\"https:\/\/twitter.com\/hashtag\/NEW?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#NEW<\/a> Stagefright flaws\u2026 <a href=\"https:\/\/twitter.com\/hashtag\/nopatches?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#nopatches<\/a> <a href=\"https:\/\/t.co\/1Wt8iqOY2b\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/1Wt8iqOY2b<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/LJUuODPDra\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/LJUuODPDra<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/649575239999950848?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 1, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>With all manufacturers vowing to offer users a two-year support plan, many devices stop receiving updates some time close to the end of their lifecycle (or even to the middle). That means, smartphone models based on an outdated (and thus forever unpatched) Android are abundant, and the quantities of such vary by vendor.<\/p>\n<p>To quantify the level of security for various Android vendors, the Cambridge research group introduced the FUM index. This abbreviation means the following:<\/p>\n<ul>\n<li>F (free) \u2014 the share of devices which were free of critical vulnerabilities throughout the testing.<\/li>\n<li>U (update) \u2014 the share of devices by a particular vendor, which employ the latest version of Android.<\/li>\n<li>M (mean) \u2014 the average number of unpatched vulnerabilities in the phones by a particular vendor.<\/li>\n<\/ul>\n<p>The normalized total of those values constitutes the FUM index, with values ranging from 1 to 10. It serves a means of evaluating a vendor\u2019s security score.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">95% of <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> phones can be hacked with one just <a href=\"https:\/\/twitter.com\/hashtag\/MMS?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#MMS<\/a>, millions at risk <a href=\"https:\/\/t.co\/BJg5e7ss8N\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/BJg5e7ss8N<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"http:\/\/t.co\/DGBSkhQdDo\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/DGBSkhQdDo<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/628620894395629568?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 4, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In just four years, from July 2011 through 2015 the mean FUM Index for all Android devices turned to be abysmally low \u2013 2.87 out of 10. The most secure smartphones are, predictably, Google Nexus. No wonder it is so: Google takes care of patching on its own devices.<\/p>\n<p>For Nexus devices, FUM reaches the value of 5.17 \u2013 still not quite close to 10. Unfortunately, updates do not land onto Nexuses right away: the delivery of OTA updates takes up to two weeks, while the device might remain insecure.<\/p>\n<p>To give justice to other smartphones vendors, the champions are LG (FUM 3.97), followed by Motorola (3.07), Samsung (2.75), Sony (2.63), HTC (2.63) and ASUS (2.35).<\/p>\n<p>The most insecure devices belong to B-grade and no-name brands like Symphony (0.30) and Walton (0.27). We might assume that the most of Chinese no-names enjoy the FUM Index as low as that.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Of Non-Nexus Devices and the <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Security<\/a> Rewards Program: <a href=\"http:\/\/t.co\/owKwqqFmDJ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/owKwqqFmDJ<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/611517438694400001?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 18, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>What is a bit unsettling about the research is the deliberate exclusion of Huawei, Lenovo, and Xiaomi smartphones, although these brands, <a href=\"http:\/\/www.idc.com\/prodserv\/smartphone-market-share.jsp\" target=\"_blank\" rel=\"noopener nofollow\">according to IDC analytics<\/a>, occupy the 2<sup>nd<\/sup>, 3<sup>rd<\/sup>, and 4<sup>th<\/sup> positions in the global best-selling rating for Android-smartphones.<\/p>\n<p>With that and other side-notes in mind, this research cannot be considered absolutely fair and ultimate \u2013 yet this does not diminish its importance. The researchers managed to present a holistic (and thus gloomy) picture of the ecosystem security and attract certain attention to common pain points in the infosec domain.<\/p>\n<p>We should admit Android is a desperately vulnerable system. It will remain so, unless Google revamps the OS and the model of distribution to enable simultaneous, regular and vendor-agnostic update mechanism to spare users a cumbersome mission of taking care of their device security.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Protect your <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a>: 10 tips for maximum security <a href=\"https:\/\/t.co\/PDu801dfyg\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/PDu801dfyg<\/a> <a href=\"http:\/\/t.co\/auqQf6NfVL\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/auqQf6NfVL<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/531065465049972736?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 8, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>But what can users do now to ensure their devices are protected? Here are simple tips:<\/p>\n<p>1. Apply updates as soon as they are available. Do not ignore them.<\/p>\n<p>2. Download apps only from trusted sources and look out for rogue websites. It does not guarantee you are spared security issues, yet it is a means of avoiding a certain class of threats.<\/p>\n<p>3. Use a <a href=\"http:\/\/app.appsflyer.com\/com.kms.free?pid=smm&amp;c=kd-com\" target=\"_blank\" rel=\"noopener nofollow\">security solution<\/a> \u2013 if smartphone vendors are slow to enable security patches and save users from exploits, antivirus companies might do a better job here.<\/p>\n<p>4. And just try to be in the loop: read security news. Otherwise you would never know, for instance, that it\u2019s better to <a href=\"https:\/\/www.kaspersky.com\/blog\/critical-android-mms-vulnerability\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">disable default MMS downloads<\/a> to avoid issues relevant to the Stagefright vulnerability.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google\u2019s Android OS is a vulnerable system. Developers make it worse by not providing critical patches in time.<\/p>\n","protected":false},"author":675,"featured_media":10297,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[105,4627,423,398,192,97,45,422,268],"class_list":{"0":"post-10296","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-android","10":"tag-kaspersky-for-android","11":"tag-mobile-devices","12":"tag-patches","13":"tag-protection","14":"tag-security-2","15":"tag-smartphones","16":"tag-threats","17":"tag-vulnerabilities"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/insecure-android-devices\/10296\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/insecure-android-devices\/6153\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/insecure-android-devices\/6358\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/insecure-android-devices\/6299\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/insecure-android-devices\/7078\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/insecure-android-devices\/6788\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/insecure-android-devices\/9390\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/insecure-android-devices\/4987\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/insecure-android-devices\/5757\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/insecure-android-devices\/6294\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/insecure-android-devices\/9286\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/insecure-android-devices\/9390\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/insecure-android-devices\/10296\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/insecure-android-devices\/10296\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10296","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/675"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=10296"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10296\/revisions"}],"predecessor-version":[{"id":30384,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/10296\/revisions\/30384"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/10297"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=10296"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=10296"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=10296"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}