Most Android devices not up-to-date on security fixes

Skycure report shows slow application of security patches on Android

By Larry Magid

A report from Skycure found that “71% of all Android users on the five major US carriers are running security patches that are at least 2 months old.”

The report found that “Growth in malware and network incidents was substantial, but the majority of these malicious exploits depends on vulnerabilities in the operating system and core apps in order to succeed.”

By contrast, most Apple devices are up-to-date because “the software, hardware and distribution mechanism are all tightly integrated.” Android supports multiple hardware vendors and lots and different devices and both hardware makers and carriers are sometimes slow to deploy patches. There are exceptions, including Google’s own Pixel phones which tend to be up-to-date because, like Apple, Google has more control over the phone and its software.

Google reports that it is now offering monthly security patches but the company admitted that. “About half of devices in use at the end of 2016 had not received a platform security update in the previous year,” Google says that it is “working to increase device security updates by streamlining our security update program to make it easier for manufacturers to deploy security patches.”

Types of threats

In its full report (PDF), Skycure outlined the types of threats on mobile devices:

  • Adware – This may display unwanted ads, collect unauthorized marketing information about you, and redirect search requests to advertising websites, in hopes of getting the user to buy a product.
  • Hidden App – This has slightly different implications on iOS vs Android, but in general an app that doesn’t display a standard icon to indicate its presence, in effect hiding from the user. Potentially Unwanted – This may accompany a legitimate app or be installed as part of the process of another app, but is malicious. As this primarily describes the delivery method, other types of malware may also fall into this category.
  • Riskware – This is not malicious itself, but contains identified security holes that may be leveraged by other exploits with relative ease.
  • Spyware – This mostly runs in the background with no indication of its presence, often as additional code hidden in a legitimate-looking app, with the objective of stealing information and staying hidden

What you can do

  • You should periodically check to see if there are updates to your Android operating system or phone firmware. This is typically done by selecting About in the settings menu and then selecting System updates.
  • You should frequently check to see if there are updates to your apps. Apps are often updated with new security fixes. This is done by selecting the Installed tab in the Google Play store of your phone.
  • Be careful of the apps you install. Read reviews and disclosures. Delete apps you’re not using and be very cautious before downloading apps from any source other than the official Google Play store.
  • Be careful before connecting your phone to public Wi-Fi. Make sure it’s a secure and legitimate network. Consider instead using your cellular connection, which is more secure than public Wi-Fi.
  • Make sure your phone is locked with a PIN, fingerprint recognition or other type of locking methodology,