What Device Makers, Carriers, Users Can Do to Bolster Android Security

While security issues dog Android, it may be safer than you think. Here’s a look at the current state of Android security and how it may impact Android users.

While Android is not the most secure operating system in the world, Google actively works at improving Android security. The company has a team dedicated to finding flaws in its operating system and, with each new version, Google patches those holes. Patching security holes is a constant worry for all software developers and the organizations that use a wide range of software products.

Google has a bounty program that rewards researchers for findings flaws in Android. Better yet, the program actually works. Since its inception, researchers have found a wide range of flaws that affect Android, and Google has passed out cash to reward those who found them. Using cash to fight back against malware is actually a useful tool in addressing malware problems on Android.

Although it’s been easy for people to blame Google for Android woes in the past, the truth is the search giant has little to do with actually fixing issues. While Google may release a patch, it’s up to the company’s “partners”—mobile device makers and carriers—to actually deploy the software to affected devices. That means that the majority of patches never reach user devices.

The real blame for malware in Android might be better placed on vendors that don’t do enough to actually support their devices. After a product is sold, as few as 20 percent of those products are actually updated with the latest security patches, even if a zero-day vulnerability is discovered. Android vendors are worried more about device sales than maintaining their security after the sale.

Carriers are equally to blame because they don’t reliably update the devices that run on their networks. Google pushes security updates to wireless carriers but relies on them to actually release those updates to users. In some cases, the carriers respond but in others they don’t. It’s out of Google’s hands at that point and, in far too many cases, carriers don’t do what they should to update products.

While Android gets a bad rap as the target for 99 percent of all mobile malware, it’s not actually affecting that many users. In fact, in April, Google released a report that showed that just 1 percent of Android devices in the wild were actually running malicious code. So, while the amount of Android malware circulating in the wild may be increasing, it appears that it’s not affecting that many devices so far.

Arguably the biggest issue affecting malware in the Android ecosystem is operating system fragmentation. Mobile devices run a variety of outdated versions of Google’s operating system, leaving them vulnerable to malware that exploits flaws that have been fixed in later editions of the platform. Fragmentation has been a problem with Android since Google released the first Android update. It’s an issue that Google, device makers and carriers will have to eventually solve if they want to get serious about suppressing malware and security holes in Android.

Although the latest-reported Stagefright flaw doesn’t fit the mold, the vast majority of malware that impacts Android devices actually requires user input of some sort. In other words, users would need to open a link, see a text message or interact with malicious code in some way for it to deliver its payload. It’s important to remember that while Android malware is prevalent, in the vast majority of cases, users have to be duped into installing the malware.

The easiest way for a malicious hacker to deliver a malware payload to an Android user is through an app. However, Google has done a much better job in the past year analyzing apps and rejecting suspected malware. The biggest app threats tend to come from third-party Android app stores where reviews are not necessarily as rigorous. Hackers also tend to take advantage of unsuspecting victims by using phishing attacks. Keeping app downloads to Google Play and remaining vigilant about phishing attacks will safeguard users from the vast majority of Android malware.

User education is essential when it comes to security of any kind of connected device, let alone Android security. Users should learn what they need to do to update their software or find the latest patches. Those who know what to do are able to dodge malware attacks. Having simple knowledge of what to look for is the first step in securing an Android device or any other product that is subject to security vulnerabilities.