Google is making progress in the fight against malware in the Play Store, but it must be noted that more than half a billion Android devices do not receive the regular security updates of the company. Many of these devices have blatant security gaps.
The security of Android devices is according to Google “still a lot up in the air.” In the yearly conclusion to the Android security, the company calls the year 2016 as a victory against Trojans and malicious apps, but the balance of the security updates is out of order. As always, “about half” of all Android devices do not receive Google’s monthly security updates. The talk here is not of devices, which get these essential updates belatedly, Google speaks of over half a billion smartphones and tablets, which have not even received it – and thus blatant security deficiencies are shown.
The Stagefright catastrophe has a positive effect
The fact that Google is making good progress in the fight against malicious apps, on the other hand, means good news for Android users. In their own store, malicious apps make up only half a thousand of all installations, a total of just seven per thousand of all installed apps. Without updates to the underlying operating system, Google’s protective measures are only patchwork.
Because the security gaps, which are in the unpatched Android devices, some can be triggered by infected media files from the network and do not need to cap the device on an app installation. What Google is selling as a “significant rebuilding of video and audio files” is in fact a necessary response to a never-ending series of catastrophic programming errors in the Media Framework Stagefright, the codename of this system component. We will see it as a bad joke afterwards.
More collaboration – but how?
Google wants to improve this problem through better collaboration with device manufacturers. This is not a new approach, the company suggested similar tones at the launch of the monthly security patches. While many of the big manufacturers are working with Google to make the patches more or less timely, there are still many manufacturers that are throwing millions of devices on the market and have little interest in working with Google. How the Android makers want to change this in concrete terms, remains also unclear according to the latest security report and the related webinar. Google’s statements on the subject are more than spongy.
The Vault-7 Leaks can be seen as fatal unpatched Android devices. According to this, the CIA has also enjoyed such gaps in order to spy on its targets. The bigger the gaps are, the easier it is for attackers like the US intelligent services to crack the device. After all, Google is struggling to discover the gaps as early as possible. Last year, nearly one million dollars were paid to independent security researchers as rewards for discovered Android gaps.