Unless you bought the phone or tablet recently, odds are high that your Android device is running an outdated version of the operating system, exposing you to serious security risks.
The latest data from Google shows that 44 percent of Android users are still on “Gingerbread,” or versions 2.3.3 through 2.3.7, which was released two years ago. Gingerbread has a number of security vulnerabilities which have been fixed in later versions. The OS breakdown data is based on statistics collected from Android devices connecting to Google Play from Feb. 22 to March 4.
Just 16 percent of Android devices are running version 4.1 or 4.2 of the mobile operating system, according to Google. Also known as “Jelly Bean,” the latest Android version was released six months ago, but a majority of Android users have not been able to upgrade to the new OS because the process is tightly controlled by the carriers.
“The problem with Android is that most people have old versions on their phone,” Collin Mulliner, a postdoctoral researcher with the SECLAB at Northeastern University in Boston, said during a mobile security panel discussion at last month’s RSA Conference.
At our SecurityWatch Summit last fall, Dan Guido, CEO and co-founder of Trail of Bits, noted that the majority of iOS devices are updated within weeks, it not days, of Apple releasing the new operating system.
Mobile Carriers Lag on Updates
“One of the most important things in software security today is the ability to remotely update,” Mulliner said on the panel. While users can initiate the operating system update on their own for iPhones and iPads, Android, mobile carriers control the entire process for Android devices. At the moment, their collective record for pushing out updates for users is absolutely dismal.
The problem is that Android’s open platform allows device manufacturers and carriers to tweak the operating system to bundle extra software and set certain configuration settings. Whenever Google releases an operating system update, both the vendor and carriers have to test the changes against their homebrew systems before rolling out the latest version. The carriers claim this is a slow process, but many security experts believe carriers are prioritizing profit over security.
Some phones just don’t get the latest Android update because they are being phased out or are older models, Chris Soghoian, a privacy researcher and activist, said at a different event earlier this year. Manufacturers focus their efforts on devices currently for sale and coming to the market, and wireless carriers “only care about you once every two years” when the user contract is up for renewal, Soghoian said. For example, an LG Android smartphone didn’t get its first OS update for 16 months, and many phones never even get that first update, let alone a second one.
Considering that Google has pushed out a new version approximately every six months, it’s easy to see how quickly users can become out-of-date.
A drive-by attack, where the user is compromised just by visiting a malicious site, is not the biggest threat facing Android users, Charlie Miller, a researcher well-known for his work on iOS and Android security, said during the same panel at the RSA Conference.
“People think that drive-by is a big threat, but in real life they just don’t happen,” Miller said. When it comes to Android, the biggest risk facing users is the fact that their devices are running outdated and un-patched versions of the operating system, he said. The latest versions of Android have security patches and improved exploit mitigations.
Cyber-criminals know users are running vulnerable operating systems. All criminals have to do is release a malicious app exploiting a vulnerability in an old version of Android, and hit a significant chunk of the user base.
As Soghoian pointed out earlier, “You don’t need a zero-day to attack most Android devices if consumers are running 13-month-old software.”
Unfortunately, this situation is not likely to change unless carriers start taking security seriously, or Google wrests control of the update process away from the carriers. The most secure Android device around is the Nexus 4 smartphone from Google, as the company has full control over the updates.