{"id":6358,"date":"2015-10-21T05:51:14","date_gmt":"2015-10-21T09:51:14","guid":{"rendered":"https:\/\/kasperskydaily.com\/uk\/?p=6358"},"modified":"2019-11-22T10:12:35","modified_gmt":"2019-11-22T10:12:35","slug":"insecure-android-devices","status":"publish","type":"post","link":"https:\/\/www.kaspersky.co.uk\/blog\/insecure-android-devices\/6358\/","title":{"rendered":"87% of Android smartphones are insecure and that&#8217;s no joke"},"content":{"rendered":"<p>British scientists proved that Android devices are highly dangerous when it comes to you and your data. It\u2019s no joke \u2014 <a href=\"https:\/\/www.cl.cam.ac.uk\/~drt24\/papers\/spsm-scoring.pdf\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">researchers at the University of Cambridge did serious research on the devices<\/a>: analysing over 20,000 smartphones by various vendors to discover that 87.7% of Android devices are susceptible to at least one critical vulnerability.<\/p>\n<p>This dreadful fact emerged as by-product of a study whose goal was to reveal whose devices (speaking of vendors) were the most secure.<\/p>\n<p>The experiment was conducted with help of ordinary people and their ordinary smartphones: the participants consented to set up a special app called <a href=\"https:\/\/play.google.com\/store\/apps\/details?id=uk.ac.cam.deviceanalyzer\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Device Analyzer<\/a> from Google Play. This application helped to find out how resistant the devices were to the most widespread attacks by sending data on what versions of software were installed on the device.<\/p>\n<p>Not all vulnerabilities were taken into consideration \u2013 just those exploitable completely wirelessly. Of those 32 were critical, but only 11 bugs that could be applied to all participating devices, were considered during the experiment to provide for fair results.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/10\/05194709\/vulneruble-android-chart.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-6360\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/86\/2015\/10\/05194709\/vulneruble-android-chart.jpg\" alt=\"vulneruble-android-chart\" width=\"680\" height=\"400\"><\/a><\/p>\n<p>So, why do different vendors offer ranging security levels? First, it depends on whether the OS version is up-to-date; Google, Linux Foundation and other relevant Android developers issue regular updates, which include security patches for known vulnerabilities.<\/p>\n<p>The thing is that the majority of Android devices aren\u2019t queuing to get those updates, so it doesn\u2019t happen as fast as it should. It\u2019s not Google who sends the OTA (over the air) updates, but your carrier. \u00a0The difference from Apple devices is that Apple control this, enabling the majority of their customers to update in one fell swoop. \u00a0Due to the fragmentation of the Android market, this is simply impossible.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">1 Billion <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> devices vulnerable to <a href=\"https:\/\/twitter.com\/hashtag\/NEW?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#NEW<\/a> Stagefright flaws\u2026 <a href=\"https:\/\/twitter.com\/hashtag\/nopatches?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#nopatches<\/a> <a href=\"https:\/\/t.co\/1Wt8iqOY2b\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/1Wt8iqOY2b<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"http:\/\/t.co\/LJUuODPDra\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/LJUuODPDra<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/649575239999950848?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">October 1, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>With all manufacturers vowing to offer users a two-year support plan, many devices stop receiving updates some time close to the end of their lifecycle (or even to the middle). This\u00a0means\u00a0that, that shiny new smart phone you just bought may very well be out of date by the time your contract rolls around in two years\u2019 time.<\/p>\n<p>To quantify the level of security for various Android vendors, the Cambridge research group introduced the FUM index. This abbreviation means the following:<\/p>\n<p>\u2022 F (free) \u2014 the share of devices which were free of critical vulnerabilities throughout the testing.<\/p>\n<p>\u2022 U (update) \u2014 the share of devices by a particular vendor, which employ the latest version of An-droid.<\/p>\n<p>\u2022 M (mean) \u2014 the average number of unpatched vulnerabilities in the phones by a particular ven-dor.<\/p>\n<p>The normalised total of those values constitutes the FUM index, with values ranging from 1 to 10. It serves a means of evaluating a vendor\u2019s security score.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">95% of <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> phones can be hacked with one just <a href=\"https:\/\/twitter.com\/hashtag\/MMS?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#MMS<\/a>, millions at risk <a href=\"https:\/\/t.co\/BJg5e7ss8N\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/BJg5e7ss8N<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/infosec?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#infosec<\/a> <a href=\"http:\/\/t.co\/DGBSkhQdDo\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/DGBSkhQdDo<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/628620894395629568?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">August 4, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>In just four years, from July 2011 through 2015 the mean FUM Index for all Android devices turned to be abysmally low \u2013 2.87 out of 10. The most secure smartphones are, predictably, Google\u2019s Nexus devices.<\/p>\n<p>For Nexus devices, FUM reaches the value of 5.17 \u2013 still not quite close to 10. Unfortunately, up-dates do not land onto Nexus devices straight away: the delivery of OTA updates can take up to two weeks, all the while, the device remains insecure.<\/p>\n<p>To give justice to other smartphones vendors, the champions are LG (FUM 3.97), followed by Motorola (3.07), Samsung (2.75), Sony (2.63), HTC (2.63) and ASUS (2.35).<\/p>\n<p>The most insecure devices belong to B-grade and no-name brands like Symphony (0.30) and Walton (0.27). We might assume that the most of Chinese no-names enjoy the FUM Index as low as that.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Of Non-Nexus Devices and the <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/Security?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Security<\/a> Rewards Program: <a href=\"http:\/\/t.co\/owKwqqFmDJ\" target=\"_blank\" rel=\"noopener nofollow\">http:\/\/t.co\/owKwqqFmDJ<\/a> via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/611517438694400001?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">June 18, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>What is a bit unsettling about the research is the deliberate exclusion of Huawei, Lenovo, and Xiaomi smartphones, although these brands, according to IDC analytics, occupy the 2nd, 3rd, and 4th positions in the global best-selling rating for Android-smartphones.<\/p>\n<p>With that and other side-notes in mind, this research cannot be considered absolutely fair and true,\u00a0yet this doesn\u2019t diminish its importance. The researchers managed to present a holistic (and thus gloomy) picture of the ecosystem security and attract certain attention to common pain points in the infosec domain.<\/p>\n<p>We should admit Android is a desperately vulnerable system. It will remain so, unless Google revamps the OS and the model of distribution to enable simultaneous, regular and vendor-agnostic update mechanism to spare users the currently cumbersome mission of making sure their device is secure.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Protect your <a href=\"https:\/\/twitter.com\/hashtag\/Android?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Android<\/a>: 10 tips for maximum security <a href=\"https:\/\/t.co\/PDu801dfyg\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/PDu801dfyg<\/a> <a href=\"http:\/\/t.co\/auqQf6NfVL\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/auqQf6NfVL<\/a><\/p>\n<p>\u2014 Eugene Kaspersky (@e_kaspersky) <a href=\"https:\/\/twitter.com\/e_kaspersky\/status\/531065465049972736?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 8, 2014<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>But what can users do now to ensure their devices are protected? Here are simple tips:<\/p>\n<p>1. Apply updates as soon as they are available.\u00a0<em>Don\u2019t ignore them.<\/em><\/p>\n<p>2. Download apps only from trusted sources and look out for rogue websites.\u00a0This doesn\u2019t mean you\u2019re spared security issues, but it does mean that you\u2019ll be less likely to be a victim of a vulnerability.<\/p>\n<p>3. Use a <a href=\"http:\/\/app.appsflyer.com\/com.kms.free?pid=smm&amp;c=kd-com\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">security solution<\/a> \u2013 if smartphone vendors are slow to enable security patches and save users from exploits, antivirus companies might do a better job here.<\/p>\n<p>4. And just try to be in the loop: read security news. Otherwise you would never know, for instance, that it\u2019s better to disable <a href=\"https:\/\/www.kaspersky.co.uk\/blog\/critical-android-mms-vulnerability\/\" target=\"_blank\" rel=\"noopener\">default MMS downloads<\/a> to avoid issues relevant to the Stagefright vulnerability.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Google\u2019s Android OS is a vulnerable system. Developers make it worse by not providing critical patches in time.<\/p>\n","protected":false},"author":40,"featured_media":6359,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2026],"tags":[105,3840,434,398,192,97,45,529,268],"class_list":{"0":"post-6358","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-android","10":"tag-kaspersky-for-android","11":"tag-mobile-devices","12":"tag-patches","13":"tag-protection","14":"tag-security-2","15":"tag-smartphones","16":"tag-threats","17":"tag-vulnerabilities"},"hreflang":[{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/insecure-android-devices\/6358\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/insecure-android-devices\/6153\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/insecure-android-devices\/6299\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/insecure-android-devices\/7078\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/insecure-android-devices\/6788\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/insecure-android-devices\/9390\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/insecure-android-devices\/10296\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/insecure-android-devices\/4987\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/insecure-android-devices\/5757\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/insecure-android-devices\/6294\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/insecure-android-devices\/9286\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/insecure-android-devices\/9390\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/insecure-android-devices\/10296\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/insecure-android-devices\/10296\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.co.uk\/blog\/tag\/android\/","name":"Android"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6358","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/comments?post=6358"}],"version-history":[{"count":2,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6358\/revisions"}],"predecessor-version":[{"id":17844,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/posts\/6358\/revisions\/17844"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media\/6359"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/media?parent=6358"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/categories?post=6358"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.co.uk\/blog\/wp-json\/wp\/v2\/tags?post=6358"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}