87% of Android smartphones are insecure and that’s no joke

Google’s Android OS is a vulnerable system. Developers make it worse by not providing critical patches in time.

Android Vulnerabilities

British scientists proved that Android devices are highly dangerous when it comes to you and your data. It’s no joke — researchers at the University of Cambridge did serious research on the devices: analyzing over 20,000 smartphones by various vendors to discover that 87.7% of Android devices are susceptible to at least one critical vulnerability.

This dreadful fact emerged as byproduct of a study whose goal was to reveal whose devices (speaking of vendors) were the most secure.

The experiment was conducted with help of ordinary people and their ordinary smartphones: the participants consented to set up a special app called Device Analyzer from Google Play. This application helped to find out how resistant the devices were to the most widespread attacks by sending data on what versions of software were installed on the device.

Not all vulnerabilities were taken into consideration – just those exploitable completely wirelessly. Of those 32 were critical, but only 11 bugs that could be applied to all participating devices, were considered during the experiment to provide for fair results.

Android vulnerability chart

So, why do different vendors offer ranging security levels? First, it depends on whether the OS version is up-to-date; Google, Linux Foundation and other relevant Android developers issue regular updates, which include security patches for known vulnerabilities.

The thing is that the majority of Android devices are queuing to get those updates, so it happens not that fast as it should be. It’s not Google who sends the OTA updates; a carrier of an OEM vendor now performs this task and the updates are delivered as fast as the vendor likes it to be – meaning ‘not fast at all.’

With all manufacturers vowing to offer users a two-year support plan, many devices stop receiving updates some time close to the end of their lifecycle (or even to the middle). That means, smartphone models based on an outdated (and thus forever unpatched) Android are abundant, and the quantities of such vary by vendor.

To quantify the level of security for various Android vendors, the Cambridge research group introduced the FUM index. This abbreviation means the following:

  • F (free) — the share of devices which were free of critical vulnerabilities throughout the testing.
  • U (update) — the share of devices by a particular vendor, which employ the latest version of Android.
  • M (mean) — the average number of unpatched vulnerabilities in the phones by a particular vendor.

The normalized total of those values constitutes the FUM index, with values ranging from 1 to 10. It serves a means of evaluating a vendor’s security score.

In just four years, from July 2011 through 2015 the mean FUM Index for all Android devices turned to be abysmally low – 2.87 out of 10. The most secure smartphones are, predictably, Google Nexus. No wonder it is so: Google takes care of patching on its own devices.

For Nexus devices, FUM reaches the value of 5.17 – still not quite close to 10. Unfortunately, updates do not land onto Nexuses right away: the delivery of OTA updates takes up to two weeks, while the device might remain insecure.

To give justice to other smartphones vendors, the champions are LG (FUM 3.97), followed by Motorola (3.07), Samsung (2.75), Sony (2.63), HTC (2.63) and ASUS (2.35).

The most insecure devices belong to B-grade and no-name brands like Symphony (0.30) and Walton (0.27). We might assume that the most of Chinese no-names enjoy the FUM Index as low as that.

What is a bit unsettling about the research is the deliberate exclusion of Huawei, Lenovo, and Xiaomi smartphones, although these brands, according to IDC analytics, occupy the 2nd, 3rd, and 4th positions in the global best-selling rating for smartphones.

With that and other side-notes in mind, this research cannot be considered absolutely fair and ultimate – yet this does not diminish its importance. The researchers managed to present a holistic (and thus gloomy) picture of the ecosystem security and attract certain attention to common pain points in the infosec domain.

We should admit Android is a desperately vulnerable system. It will remain so, unless Google revamps the OS and the model of distribution to enable simultaneous, regular and vendor-agnostic update mechanism to spare users a cumbersome mission of taking care of their device security.

But what can users do now to ensure their devices are protected? Here are simple tips:

  1. Apply updates as soon as they are available. Do not ignore them.
  2. Download apps only from trusted sources and look out for rogue websites. It does not guarantee you are spared security issues, yet it is a means of avoiding a certain class of threats.
  3. Use a security solution – if smartphone vendors are slow to enable security patches and save users from exploits, antivirus companies might do a better job here.
  4. And just try to be in the loop: read security news. Otherwise you would never know, for instance, that it’s better to disable default MMS downloads to avoid issues relevant to the Stagefright vulnerability.