Over half of all the Android devices in the world have unpatched security vulnerabilities

September 14, 2012
46 1 19

X-Ray for AndroidAbout six weeks ago Duo Security released its X-Ray app, which was developed with funding from DARPA, that scans an Android device for known security vulnerabilities. These vulnerabilities, which include privilege escalation bugs and flaws which allow the internal security of Android to be bypassed, leave your device open to attack by malicious apps that gain root access and perform restricted actions.

Now after six weeks of gathering data, Duo Security is ready to publish its preliminary findings. The full disclosure of these early results will be made today at Rapid7′s United Summit conference in San Francisco, however Jon Oberheide of Duo Security did publish one startling statistic. Of the 20,000 scans performed worldwide, over half of Android devices have unpatched vulnerabilities.

Of course the big question is, who is responsible for fixing these issues? And here lies the weakness in the fragmented Android ecosystem. For sure, Google write the code and it needs to fix the bugs. Actually it already has, a long time ago. I performed an X-Ray scan on three devices, two running Android 4.0 Ice Cream Sandwich and one running Cyanogenmod 7 (based on Android 2.3.7). The two Android 4.0 devices reported no vulnerabilities, meaning that Google has fixed the bugs, but my Android 2.3.7 phone is vulnerable to ZerhRush (a¬†vulnerability in Android’s libsysutils that allows an attacker to overwhelm the system with command arguments and gain root access).

But there are no more updates available for the 2.3.7 Android phone. I got it from my local mobile phone operator (Orange) and it originally had Android 1.6 on it! Orange then released an update to Android 2.1 and that was it. I put Cyanogenmod 7 on the device but that is as far as it goes. In the Apple ecosystem it is the engineers at Cupertino who fix and supply updates to iOS for everyone, all over the world, all at the same time. But in the Android ecosystem, Google made a change to the code and then that has to filter through to the carriers and/or the manufacturers, who then publish updates for the phones. Often older phones (anything older than 18 months) are just left to rot.

Don’t get me wrong, Apple also abandon their customers. Remember the rush to go out and buy an iPad? Well, original iPad owners can’t upgrade to iOS 6, only those with an iPad 2 or “new iPad.” It is a similar story with the original iPhone and the iPhone 3G with regards to previous¬†versions¬†of iOS. The really odd thing is that iOS 6 will be available for the iPhone 3GS! Confused much? So are we.

Back to X-Ray, Jon Oberheide has promised a followup blog post next week detailing the full results, statistical methodology, and what the team are planning for X-Ray in the future.

Do these numbers worry you? Do you think the carriers and manufacturers are abandoning customers with older phones and leaving them open to attacks by hackers?  Leave a comment below.

Comments

  • GBGamer

    The iPhone 3gs had double the RAM of the 3g and original. That’s why.

    • http://www.garysims.co.uk garysims

      Yes that is true, but the question is not why the 3GS has iOS 6 and not the 3G, but why the 3GS has iOS 6 but the original iPad doesn’t. The original iPad has the same memory as the 3GS but with a better CPU + GPU.

      • blunden

        Simple. The 3GS processor supports the ARMv7 instruction set, just like all the newer models. The 3G only supports upp to ARMv6. Dropping support for it probably meant they could add more ARMv7-optimized code without having to keep it separate. It was too slow anyway and the 3GS has most iOS 6 features removed.

  • MasterMuffin

    You already made an article about this app

    • http://www.garysims.co.uk garysims

      Yes we did, in fact I linked to it in the article. The point is that now after six weeks the results are in and over half of all the Android devices in the world have unpatched security vulnerabilities.

      • MasterMuffin

        Oh okay, but that’s pretty obvious, because there aren’t that many android 4.0 and 4.1 devices :)

        • http://www.garysims.co.uk garysims

          Actually, it isn’t that obvious because Google should have either fixed these errors in the 2.2 and 2.3 code streams or if it has already then the carriers/manufacturers should be releasing updates like Apple does (sometimes).

          • MasterMuffin

            Well that’s true. How much (if at all) does a good anti-virus like avast or f-secure help?

          • http://www.garysims.co.uk garysims

            Having a good anti-virus helps, it should (hopefully) catch any apps or mobile websites which try and exploit these vulnerabilities, but it won’t fix the vulnerabilities themselves.

          • MasterMuffin

            Yea I know that they don’t fix them but good to know that they really work because avast didn’t find anything when I downloaded an app that normally didn’t have many permission but when I downloaded that same app from internet, it had permissions like “find my exact location” and “call and send messages” and it was just a game (I thought I should test avast, but when it said that the app was safe, I was like WHAAT)

      • Tough_Support_Girl

        This is just because the original article didn’t get enough “hits”… so they think if they write more and more “pointer articles”… it will improve their “hits” counters.

        How about this instead: Write better stories. More accurate stories. More interesting stories. Better spelling. Links that actually work. Better pictures. Grammar.

        > For sure, Google write the code and it needs

        “Google write the code”???

        • Kernschatten

          Thank you. Could not have said it any better.

        • http://www.garysims.co.uk garysims

          First, it has nothing to do with the original article not getting enough hits. I don’t even look at the number of hits each article gets, doesn’t interest me. I also didn’t write the first article, a colleague of mine did.

          And yes, there is a typo in the article. Well spotted.

          But are you telling me (and I genuinely want to know) that the news from an actual study that over half of the Android devices in the world are susceptible to attack because of known security vulnerabilities isn’t a good story. That doesn’t interest you at all?

          • Kernschatten

            How do come up with half of all Android devices in the world are vulnerable? It’s a sample of 20,000! Were they all stock, locked and unrooted? What versions of the OS were they running? Do some versions have more than one vulnerability? Is there anything that the average user can do to avoid malicious apps? Does Google have any comment about this?

            And why bring up Apple? I’m not here to read about Apple.

            It’s not you, quality is suffering at Android Authority.

          • http://www.garysims.co.uk garysims

            The figure of half is of course an extrapolation, but the number comes from Duo Security not from me. As it says in the article “Jon Oberheide has promised a followup blog post next week detailing the full results and statistical methodology.”

            So next week we will have all the data including versions, geography etc.

            As for the average user, that is exactly mine concern, I personally think that the carriers / manufacturers have been too lackadaisical about updating the firmware for existing customers. They need to be brought to account.

            And way discuss Apple? Simple, it is called compare and contrast. I don’t know if someone is considered tall or short unless I compare them to others, to the average. Apple are one of the other big providers of smartphones and if it can do something about updating its firmware, it stands to reason that Android companies can do so as well.

        • MasterMuffin

          That was the most stupid comment of this month, congratulations!

  • Bruce Gavin Ward

    until the note2 becomes available i am using a samSung running gingerBread, 3.whatever; i have avast protecting it, and have used it for many years with complete success avoiding all mallware. Is this sufficient?

    • http://www.garysims.co.uk garysims

      Using avast helps, it should (hopefully) catch any apps or mobile websites which try and exploit these vulnerabilities, but it won’t fix the vulnerabilities themselves.

      If someone nasty creates an app or mobile website which avast doesn’t recognize (or protect you from) then they can breach the security on your phone and you *might* not even know it.

      Of course, if you stay well away from third party stores and only use Google Play or Amazon, plus you don’t surf any “dodgy” websites then you should be fine.

      It all comes down to risk percentiles. Technically I could get run over by a bus tomorrow. But I still take the risk to cross the road.

  • Adam Outler

    X-ray is missing some vulnerabilities. The DebugFSRoot exploit for one… it can be applied on the device and allow root after reboot.