Google Android: Nearly one in three devices will never get latest security patches

Google details progress on the Android patching problem, but its annual report shows there's still has a long way to go.

samsung-galaxy-s7-edge-product-hero-5.jpg

Samsung, by far the biggest Android vendor, has been patching some Galaxy models more regularly.

Image: Samsung

Last year Google ramped up efforts to secure Android, but its annual security report reveals patching is likely to remain a challenge for years to come.

In response to last year's Stagefright bugs, Google kicked off monthly patches for Android and the Android bug bounty.

Both had a positive impact on the state of security in the Android ecosystem. Samsung, by far the biggest Android vendor, began updating some Galaxy models more regularly.

LG, Blackberry and Sony also followed suit. But, as Google notes in its 2015 Annual Android Security Report, only a fraction of the 60,000 unique Android models in the wild actually receive regular updates.

Google reports that 70.8 percent of Android devices were eligible for the monthly security updates, leaving 29 percent unsupported to even receive a patch.

MORE ON SECURITY

Google gets serious about Android security: Monthly Nexus software updates

Google just added another big selling point its Nexus line of phones and tablets: The safest Android experience possible.

Read More

Since August, the company has provided monthly fixes for its own Nexus devices, and passes these on to handset makers for Android 4.4.4 KitKat and higher. But updates still require handset makers to customize the updates for each device model and then for carriers to push them out to end users.

Google backed a study last year that blamed handset makers for leaving 87 percent of Android devices exposed to at least one old critical security issue.

Assuming more Android handset makers adopt the monthly patches, this year may prove better as older devices are discarded. Google's developer dashboard indicates that at the beginning of April, 73 percent of Android devices were eligible for the monthly updates.

"We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs," Google lead engineer for Android security Adrian Ludwig wrote.

"Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices. Despite this progress, many Android devices are still not receiving monthly updates. We are increasing our efforts to help partners update more devices in a timely manner," he said.

Despite Stagefright prompting Google into action, Google said it had not seen any attempt to exploit the bugs.

Google's Android bug bounty, which commenced in June, also had a dramatic effect on the number of vulnerabilities found and patched.

Within six months, external researchers found 58 percent of 69 critical bugs that Google patched during the year. It paid out $210,161 in total to researchers who reported bugs and fixed a total of 173 Android bugs last year year, compared with 79 in 2014.

Google also highlights in the report that malware or "potentially harmful applications" is a very low risk for users who only install apps from Google Play, detecting infections on 0.15 of these devices. Devices that install apps from outside of Google Play were around 10 times more like to have malware, it said.

Ransomware apps, for example, were almost exclusively distributed outside of Google Play and represented 0.01 percent of all installs, Google noted.

The biggest malware threat of the year came from a family of malicious apps known as Ghost Push, which would surreptitiously download other malicious apps without the user's permission.

"For roughly seven weeks, Ghost Push installation attempts contributed up to 30 percent of all installation attempts worldwide. In total, we found more than 40,000 apps that we categorized into this family and we logged more than 3.5 billion installation attempts for these apps," Google notes.

Google estimated that around four million devices were infected with Ghost Push apps and that it has now removed it from 90 percent of infected devices.

Google also worked with security engineers at a Russian bank to tackle malicious apps designed to steal customer's SMS two-factor authentication codes.

Google estimated there were 100,000 infected devices, and its cleanup effort involved modifying its Verify Apps security feature to remove the apps from affected devices.

Read more about Android security