87% of Android phones are vulnerable to hackers, researchers warn
The huge number of Android handsets from different manufacturers combined with the number of different versions of the software has left millions of handsets vulnerable to hackers, a new study has claimed.
Researchers analysed the handsets and software they were running.
‘We find that on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities,’ the Cambridge team concluded.
Researchers marked each handset out of ten. The team also created a special site to check phones for vulnerabilities.
The study uses data collected by the team’s Device Analyzer app, which is available from the Google Play Store.
Daniel Thomas and Alastair Beresford, the pair behind the study, blame phone makers.
‘The app collects data from volunteers around the globe and provides us with the statistical data we need’ said Daniel Thomas, lead author of the study.
‘We have used data from over 20,000 devices to support our results, but we’re keen to recruit more contributors.’
‘The security community has been worried about the lack of security updates for Android devices for some time,’ said Dr Rice,
‘Our hope is that by quantifying the problem we can help people when choosing a phone and that this in turn will provide an incentive for manufacturers and operators to deliver updates.’
‘Google has done a good job at mitigating many of the risks,’ said Dr Beresford and we recommend users only install apps from Google’s Play Store since it performs additional safety checks on apps.
‘Unfortunately Google can only do so much, and recent Android security problems have shown that this is not enough to protect users.
‘Phones require updates from manufacturers, and the majority of devices aren’t getting them.’
‘The security of Android depends on the timely delivery of updates to fix critical vulnerabilities,’ the pair wrote in the new paper.
‘In this paper we map the complex network of players in the Android ecosystem who must collaborate to provide updates, and determine that inaction by some manufacturers and network operators means many handsets are vulnerable to critical vulnerabilities.’
‘On average over the
last four years, 87% of Android devices are vulnerable to attack by malicious apps,’ they said on a blog post explaining the research.
DailyMailonline reported that data for the study was collected through the group’s ‘Device Analyzer’ app, which has been available for free on the Play Store since May 2011.
After the participants opted into the survey, the University says it collected daily Android version and build number information from over 20,400 devices.
The study then compared this version information against 13 critical vulnerabilities (including the Stagefright vulnerabilities) dating back to 2010. Each individual device was then labeled ‘secure’ or ‘insecure’ based on whether or not its OS version was patched against these vulnerabilities
‘This is because manufacturers have not provided updates.
‘Some manufacturers are much better than others however, and our study shows that devices built by LG and Motorola, as well as those devices shipped under the Google Nexus brand are much better than most. The pair also created a special site to check phones for vulnerabilities.
The paper concludes that ‘the bottleneck for the delivery of updates in the Android ecosystem rests with the manufacturers, who fail to provide updates to fix critical vulnerabilities.’
‘Unfortunately something has gone wrong with the provision of security updates in the Android market,’ the study said.
‘Many smartphones are sold on 12-24 month contracts, and yet our data shows few Android devices receive many security updates.’
regular
security You might think that Siri and Google work as your personal assistant, but they may also be taking orders from hackers.
French researchers have found the smartphone assistants can be controlled by hackers from as far away as 16ft (five metres).
They say radio waves can be used to trigger voice commands on iPhones and Android handsets with Siri or Google now enabled, providing a set of headphones are plugged in.
The research, by France’s information security agency, ANSSI, suggests criminals could take control of handsets and eavesdrop on conversations, but it’s not known whether the trick has been exploited in the real world.
The hack, demonstrated by the researchers, is possible by using the headphone’s cord as an antenna, Wired’s Andy Greenberg reported.
This means hackers could use open-source radio software running on a laptop, an antenna and amplifier to send electromagnetic waves picked up by the headphone cord from close range.