87% of Android smartphones are insecure and that’s no joke

Google’s Android OS is a vulnerable system. Developers make it worse by not providing critical patches in time.

British scientists proved that Android devices are highly dangerous when it comes to you and your data. It’s no joke — researchers at the University of Cambridge did serious research on the devices: analysing over 20,000 smartphones by various vendors to discover that 87.7% of Android devices are susceptible to at least one critical vulnerability.

This dreadful fact emerged as by-product of a study whose goal was to reveal whose devices (speaking of vendors) were the most secure.

The experiment was conducted with help of ordinary people and their ordinary smartphones: the participants consented to set up a special app called Device Analyzer from Google Play. This application helped to find out how resistant the devices were to the most widespread attacks by sending data on what versions of software were installed on the device.

Not all vulnerabilities were taken into consideration – just those exploitable completely wirelessly. Of those 32 were critical, but only 11 bugs that could be applied to all participating devices, were considered during the experiment to provide for fair results.


So, why do different vendors offer ranging security levels? First, it depends on whether the OS version is up-to-date; Google, Linux Foundation and other relevant Android developers issue regular updates, which include security patches for known vulnerabilities.

The thing is that the majority of Android devices aren’t queuing to get those updates, so it doesn’t happen as fast as it should. It’s not Google who sends the OTA (over the air) updates, but your carrier.  The difference from Apple devices is that Apple control this, enabling the majority of their customers to update in one fell swoop.  Due to the fragmentation of the Android market, this is simply impossible.

With all manufacturers vowing to offer users a two-year support plan, many devices stop receiving updates some time close to the end of their lifecycle (or even to the middle). This means that, that shiny new smart phone you just bought may very well be out of date by the time your contract rolls around in two years’ time.

To quantify the level of security for various Android vendors, the Cambridge research group introduced the FUM index. This abbreviation means the following:

• F (free) — the share of devices which were free of critical vulnerabilities throughout the testing.

• U (update) — the share of devices by a particular vendor, which employ the latest version of An-droid.

• M (mean) — the average number of unpatched vulnerabilities in the phones by a particular ven-dor.

The normalised total of those values constitutes the FUM index, with values ranging from 1 to 10. It serves a means of evaluating a vendor’s security score.

In just four years, from July 2011 through 2015 the mean FUM Index for all Android devices turned to be abysmally low – 2.87 out of 10. The most secure smartphones are, predictably, Google’s Nexus devices.

For Nexus devices, FUM reaches the value of 5.17 – still not quite close to 10. Unfortunately, up-dates do not land onto Nexus devices straight away: the delivery of OTA updates can take up to two weeks, all the while, the device remains insecure.

To give justice to other smartphones vendors, the champions are LG (FUM 3.97), followed by Motorola (3.07), Samsung (2.75), Sony (2.63), HTC (2.63) and ASUS (2.35).

The most insecure devices belong to B-grade and no-name brands like Symphony (0.30) and Walton (0.27). We might assume that the most of Chinese no-names enjoy the FUM Index as low as that.

What is a bit unsettling about the research is the deliberate exclusion of Huawei, Lenovo, and Xiaomi smartphones, although these brands, according to IDC analytics, occupy the 2nd, 3rd, and 4th positions in the global best-selling rating for Android-smartphones.

With that and other side-notes in mind, this research cannot be considered absolutely fair and true, yet this doesn’t diminish its importance. The researchers managed to present a holistic (and thus gloomy) picture of the ecosystem security and attract certain attention to common pain points in the infosec domain.

We should admit Android is a desperately vulnerable system. It will remain so, unless Google revamps the OS and the model of distribution to enable simultaneous, regular and vendor-agnostic update mechanism to spare users the currently cumbersome mission of making sure their device is secure.

But what can users do now to ensure their devices are protected? Here are simple tips:

1. Apply updates as soon as they are available. Don’t ignore them.

2. Download apps only from trusted sources and look out for rogue websites. This doesn’t mean you’re spared security issues, but it does mean that you’ll be less likely to be a victim of a vulnerability.

3. Use a security solution – if smartphone vendors are slow to enable security patches and save users from exploits, antivirus companies might do a better job here.

4. And just try to be in the loop: read security news. Otherwise you would never know, for instance, that it’s better to disable default MMS downloads to avoid issues relevant to the Stagefright vulnerability.