Here’s an idea—if a smartphone can’t be secured against the most dangerous and malicious known threats, then it shouldn’t be sold. But a shock new report from consumer group Which claims this is exactly what is happening right now. “More than one billion Android devices are at risk of malware threats,” Which says, with as many as 40% of users “no longer receiving important security updates.”
The importance of keeping your device updated cannot be overstated, as security patches are constantly being rolled out. This can be challenging enough with Android anyway, where the onus is on manufacturers to push the software. But the report highlights that slightly older phones, three-years or longer, cannot get the updates but can still be found for sale on marketplaces around the world.
Google is taking malware seriously. I have reported before on large-scale take-downs of apps that present a threat to users, and Google has told me that “we take reports of security and privacy violations seriously. If we find behaviour that violates our policies, we take action.” The company’s recent ban on a major Chinese app developer and its launch of the App Defense Alliance are all part of this program, as is the tech giant’s new screening for potentially adverse permissions.
This issue is different, though, and also needs a solution. “Our latest tests,” Which says, show that those devices “could be affected by a range of malware and other threats. This could result in personal data being stolen, getting spammed by ads or signed up to a premium rate phone service.”
Which purchased a Motorola X, Samsung Galaxy A5 and Sony Xperia Z2 from Amazon Marketplace, “we also had existing LG/Google Nexus 5 and Samsung Galaxy S6 smartphones in our test lab.”
Those phones were three-years old, and with the exception of the Galaxy A5 could update as far as Android 7—the Galaxy was able to get to 8. The research team then enlisted the help of a security firm to test those phones against some of the most rampant malware around: Joker, Bluefrag and Stagefright.
Which contrasts Google’s fragmented approach with the more locked-down update philosophy adopted by Apple, where devices will be supported for the foreseeable future. Which says that “by contrast, Google has whipped through Android versions like a hungry child set loose on the dessert trolley—generally speaking, the older the phone, the greater the risk.”
This, though, is only half the issue. The greater risk is the lack of universality in those updates. They are rolled out to a different timetable across and even within manufacturers. For users, there simply isn’t the one-size-fits-all update approach that is more effective and needed given the mobile threat landscape.
According to Google data from last year, more than 40% of active Android users are on versions of the operating system that fall foul of its update approach. Referring to the Android Security Bulletin,” Which says that “there were no security patches issued for the Android system in 2019 that targeted Android versions below 7.0 Nougat. That means more than one billion phones and tablets may be active around the world that are no longer receiving security updates.”
Google didn’t provide Which with any comments or reassurance that this issue is being fixed. It did point to new efforts to accelerate the general update process for phones. That’s good news for newer models but no news for the rest. Shifting to faster, automated updates as standard—essentially the iPhone approach—is a huge step forwards. Again, though, it doesn’t fix this issue.
The Play Store has a malware issue. It has an even greater adware issue—nuisance software that plagues users with unwanted ads. There is a constant battle between Google and the threat actors to patch the system and find new ways through. The malware tested by Which includes exploits to secretly hack a phone over its bluetooth connection, the threats of unknown sign-ups to premium rate subscriptions and the risk that users will be tricked into visiting malicious websites which look to steal credentials. These are serious risks.
Beyond these headline malware samples, though, there are vast arrays of other, less dangerous risks that will drain your battery and consume your data plan. If you’re not protected, you’re not protected—it’s as simple as that.
Android users should regularly check for updates—do that now. And if you can’t get an update beyond Android 7, then it’s probably time for a new device. Beyond that, it’s all about common sense—be careful what you download, don’t open unexpected attachments, don’t click on viral website links sent over messaging platforms.
Any response from Google to this story will be added here.