Most Android devices are running old security patches and could be vulnerable
Mobile security firm Skycure released a report yesterday stating that 71% of Android devices in the United States have outdated security patches, possibly leaving them vulnerable to attack. The report looked at 2016 and looked how cyber attacks changed over the year. Skycure found that “growth in malware and network incidents was substantial” with an ever-increasing emphasis on mobile devices.
The easiest ways to fight these kinds of intrusions is to patch an affected app or operating system. This is an easy feat for iOS devices, as Apple tightly controls both the hardware and software distribution and can easily push updates to all devices simultaneously. Android, however, is another beast. The open-source nature of the operating has long been plagued with disparate hardware and modified software that makes it difficult for a single patch to fix all active devices.
Android manufacturers often install a custom version of the OS on individual phone models (commonly called “skins”), making it difficult to implement security updates. On top of that, mobile carriers often have their own tweaks to Android phones, which further complicates the matter.
Skycure detailed what they believe are the necessary steps to resolve a security issue on an Android phone:
Discover the vulnerability
Notify the developer
Build a security patch
Tailor the patch to each mobile carrier
Push the patch out (dependent on the carrier)
Install the patch (dependent on the end user)
Skycure found that most phones (about 71%) are running security patches that are 2 months old or older. This could leave most US Android users vulnerable; when patches are released, the fixes are often detailed. That means hackers and other malicious parties have direct access to what security holes and flaws are currently active. If a patch is released and a user is waiting on their carrier to send an update, they could be vulnerable to a hacker that now knows specific details on how to circumvent the current security measures.
The message seems to be clear: update your phone (if you can) as soon as a security patch comes out, and encourage your carrier to push security updates as soon as possible.