Security services provider Duo Security has stated that over 50 percent of all Android devices worldwide are vulnerable to unpatched security holes that could be exploited by hackers and malicious apps. The statement comes after the security firm conducted a project to highlight the fact that OEMs’ slow pace of rolling out updates for mobile systems is a serious problem.
The firm publicly launched a mobile app called X-Ray that performs a “vulnerability assessment” on Android devices. It scans for known yet unpatched vulnerabilities in mobile platforms that could be exploited to take full control of users’ phones instead of scanning for malicious apps like an antivirus would. X-Ray has since then returned data from over 20,000 Android devices worldwide, and based on these results, Duo Security states that more than half the world’s Android devices have vulnerabilities that can be exploited to take full control of the device.
Quite not as perfect as you'd thought, is it?
According to the official X-Ray FAQ, the app has detailed knowledge about a class of vulnerabilities known as “privilege escalation” vulnerabilities. Such vulnerabilities can be exploited by a malicious application to gain root privileges on a device and perform actions that would normally be restricted by the Android operating system. A number of such vulnerabilities have been discovered in the core Android platform, affecting nearly all Android devices. Even more have been discovered in manufacturer-specific extensions that may affect a smaller subset of Android users. Unfortunately, many of these privilege escalation vulnerabilities remain unpatched on large populations of Android devices despite being several years old.
With 500 million Android devices activated, it won’t be much of a surprise if someone were to tell me that a lot of hackers want to target the platform and exploit its known vulnerabilities. As we reported recently, currently only 1.2 percent of all Android devices run on the latest version of the platform, Jelly Bean, while only 20 percent operate on Ice Cream Sandwich. A massive 57.2 percent of all Android devices operate on Gingerbread, which can be said to be quite an old operating system for the platform. There are bound to be vulnerabilities as OEMs just do not offer updates and patches.
Duo Security’s findings come as no surprise then. In the case of the iPhone, this problem is mitigated as Apple releases the latest operating system for its various devices in one go. Unlike Android, iOS devices don’t have variations in hardware and software and Apple is thus able to push updates and patches directly to all of its devices across the world.
There is also the possibility that most users just do not install patches and updates. Duo Security states that this is “a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally”.
The complete details of the report will be revealed at Rapid7′s United Summit conference in San Francisco.