Are Android devices really easier to hack? We asked the experts

Remove Android malware
Android is the most widely used mobile platform on the planet. More than 1.4 billion people use an Android smartphone or tablet every single day, and the fact that it’s open source and free for manufacturers to use is a big part of that popularity. But openness is a double-edged sword: It has led to a situation where many Android phones are not regularly updated with the latest security patches.

The specter of malware has loomed large over Android for the last few years, with researchers uncovering very high profile vulnerabilities, like Stagefright. The negative news comes so thick and fast that it can be hard to put into perspective. Just last week we reported on FalseGuide malware, which may have impacted up to 1.8 million Android users.

Going on the headlines alone, you’d be forgiven for having misgivings about Android security, but where’s the line between hyperbole and genuine risk? Is the platform really insecure?

“No, it’s not insecure. I do think we have a bit of a perception problem, but it’s very different from actual user risk,” Adrian Ludwig, director of Android Security, told Digital Trends in a recent interview. “The cryptographic work that we’ve been doing, the sandboxing that we’ve been doing, and a lot of the work to make exploitation more difficult is all coming together nicely.”

There’s little doubt that the most recent versions of Android are more secure than their predecessors, but the problem is that many Android users never feel the benefit. Looking back on 2016 in a blog post, the Android security team admitted that roughly half of the devices in use at the end of 2016 had not received an update for at least 12 months.

“Eighty-four percent of phones are not upgraded, which means most mobile devices are still at risk.”

“Up-to-date versions of Google Android can be considered secure,” Maik Morgenstern, CEO of antivirus rating organization AV-Test, told Digital Trends. “But especially in many older Android versions, more and more vulnerabilities are surfacing and many vendors don’t supply updates for their devices. Currently, over 800 vulnerabilities are known.”

If we look at the official distribution figures for Android as of April, we find that only 4.9 percent of Android devices run the latest versions, Nougat 7.0 or 7.1. That’s a disappointingly small slice of the total. Looking further back, Android 6.0 Marshmallow is running on 31.2 percent of devices, Android 5.0 or 5.1, Lollipop, is on 31 percent of devices, and a fifth of Android devices are still running Android 4.4 KitKat. Most of these devices running older versions of Android are unlikely to ever be updated.

“Eighty-four percent of phones are not upgraded, which means most mobile devices are still at risk,” Joshua J. Drake, vice president of Platform Research and Exploitation at Zimperium, told Digital Trends.

Zimperium is a mobile security company; Drake uncovered the Stagefright vulnerability back in 2015. It had the potential to give hackers control of an Android device through malicious code in an audio or video file — and up to 95 percent of devices were vulnerable to it, according to reports at the time. Drake told us that some devices are still vulnerable today.

Although the potential damage was frightening, it’s unclear what the impact on Android users was.

“Here we are a year and a half in, almost going on two years since we first found out about it, and we still don’t know that anybody’s actually affected,” Ludwig said.

But Drake disagrees.

are android devices really insecure we asked some experts maikmorgenstern
Maik Morgenstern, CEO and Technical Director of AV Test

“We know that there were targeted attacks using vulnerabilities in libstagefright and mediaserver,” he said. “We know it’s hard to prove a negative in general, and we respect Google’s efforts to better secure their platform, but without a sensor on the device, there is no way for anyone to know the risk or threat status of any device — especially a mobile one.”

The problem is that it’s not easy to tell if you have been successfully attacked. In the aftermath of the Stagefright discovery, the security firm founded the Zimperium Handset Alliance to boost communication between researchers, mobile network operators, mobile application developers, and device vendors.

“Researchers need to be encouraged to look into monthly security updates, and try to exploit those vulnerabilities, in order to promote better patching and an overall safer mobile world,” Drake said.

Google has taken some important steps to reduce security risks, putting out monthly patches and breaking down elements of Android to make it easier to push out updates. But older versions of Android have been left behind.

The Android fragmentation problem is not easily solved. Persuading carriers and manufacturers to update their Android devices has proven to be very difficult for Google. It has played directly into the opposition’s hands. Apple’s Tim Cook famously referenced a ZDNet article entitled “Android fragmentation turning devices into a toxic hellstew of vulnerabilities” on a slide at WWDC in 2014. But is iOS really that much better? And if so, why?

“There has been the impression that iOS security is superior to Android security, but that’s not necessarily the case,” Drake said.

Because Android is open-source, it’s easier for security researchers to find flaws and suggest fixes. The closed nature of iOS makes it harder for researchers to see what’s going on, he said. Morgenstern agrees with this assessment, but points to an important difference that makes malware a greater risk for Android.

“Until every update reaches all devices, we are still at risk.”

“For Android users, it is easy to install apps from any source,” explains Morgenstern. “This fact makes it easy to get malicious apps onto the device. The way other platforms handle this is much stricter, by only allowing installations from their closed markets.”

Android is a big target. With such a large user base and open-source code, it’s attractive prey for cybercriminals. AV-Test registers up to 30,000 new Android malware samples every day. That’s a frightening number, but concerned Android users can take action to dramatically reduce the risks by sticking to Google Play for apps, updating devices as soon as patches are made available, and using third-party Android security apps.

Both Drake and Morgenstern also caution against connecting to unknown networks and Wi-Fi hotspots, at least without using decent Android VPN apps.

“Our data shows that most attacks are network in nature, and they don’t discriminate between iOS, Android, or other,” Drake explains. “Once an attacker has silently intercepted and redirected your network traffic, any device is dangerously vulnerable to invasive surveillance, personalized spear fishing, platform exploit delivery, or any number of other follow-on attacks.”

Android security is improving. We can point to faster updates, device encryption, permission requests, app sandboxing to isolate apps from each other, restricted access to resources, and automatic malware scanning in the Play Store. But there’s obviously still work to be done.

“Last year we paid almost a million dollars to researchers,” Google’s Ludwig said, when asked about the importance of third-party research. But despite this research program, Drake feels more is needed.

 googles adrian ludwig says android is more secure than ever security patch2

“To improve Android security overall, it’s imperative for Google to work closer with security vendors,” he said. “Apple and other vendors have increased their cooperation, but Google has decreased it. Google’s philosophy is that they can do everything on their own, but that only damages their users and unfortunately benefits malware authors.”

Ultimately, the question of Android security may come down to the device you use. If you have a two or three-year-old phone that runs an older version of Android and hasn’t been updated in months, you have cause for concern. Owners of Google’s Pixel, by contrast, receive the latest security updates in a timely fashion, at least for the next couple of years.

It’s hard to say how long it will be before most Android devices are running Nougat, or a later version of Android, but even then the slow pace of updates from some manufacturers and carriers will remain an issue.

“Until every update reaches all devices, we are still at risk,” Morgenstern said.

You can find more useful advice on how to stay safe on your Android phone in our Android security guide.

Computing

Internet Explorer zero-day exploit makes files vulnerable to hacks on Windows PCs

Evidence of an Internet Explorer zero-day exploit capable of letting hackers steal files from Windows PCs was published online by a security researcher who also claims Microsoft knew of the vulnerability and opted not to patch it.
Mobile

The 100 best Android apps turn your phone into a jack-of-all-trades

Choosing which apps to download is tricky, especially given how enormous and cluttered the Google Play Store has become. We rounded up 100 of the best Android apps and divided them neatly, with each suited for a different occasion.
Mobile

Google could soon deliver system updates through the Play store

According to code discovered in an update to the Google Play Store, Google may soon deliver actual Android updates straight through Google Play — instead of through a difficult-to-find menu in the Settings app.
Gaming

Here's how you can control your PlayStation 4 right from your phone

Sony built the PlayStation 4 with smartphone and mobile integration in mind. Take a look at our guide for connecting your smartphone or tablet to a PS4, so you can get the most out of the system while on the go.
Mobile

Leaker claims we'll be saying hello to the new OnePlus 7 range on May 14

The OnePlus 6T may still be new, but we're already looking ahead to the upcoming OnePlus 7. It will use the Snapdragon 855, and may have a new pop-up front camera, too. Here's everything we know about the OnePlus 7.
Deals

Decluttr is offering a refurbished iPhone 6 for as little as $120

Decluttr announced a deal on its "good" condition iPhone 6. Through Decluttr, you can get the device for as little as $120, which is an excellent deal on the phone. The iPhone 6 may be a few generations old, but it's still a great device.
Photography

Family feud: Huawei P30 Pro vs. P20 Pro vs. Mate 20 Pro camera shootout

The Huawei P30 Pro's camera has an amazing zoom mode and low light capabilities. But take these away, and how does it compare when facing its sibling phones, the P20 Pro and Mate 20 Pro, taking regular photos?
Mobile

You've spent a grand, now don't skimp on a screen protector for your iPhone X

Wondering how to protect your new iPhone X against scratches and drops? Look no further than our list of the best iPhone X screen protectors, which includes screen protectors designed to reinforce your phone's front panel.
Mobile

Apple and Qualcomm settle all disputes, reach six-year agreement on chips

Apple and Qualcomm have announced that they have settled all disputes between them around the world -- and not only that, but have also agreed to a six-year agreement for Qualcomm to supply Apple with chips.
Mobile

The Department of Justice may prevent the T-Mobile-Sprint merger

T-Mobile and Sprint are getting closer to merging. After a few failed attempts, the two companies announced their merger at the start of 2018. The new T-Mobile could be better positioned to take on the likes of Verizon and AT&T.
Mobile

Spruce up your Lenovo smartphone with the best Moto Mods for the Moto Z-series

Moto Mods, the snap-on accessories compatible with Lenovo's Moto Z-series smartphones add a lot of value without adding a lot of bulk. Looking to try one out? Here are a few of our favorite Moto Mods.
Mobile

The Pixel 3 range will soon be coming to T-Mobile's network

Google's latest flagships, the Pixel 3 and Pixel 3 XL, are now official and we have all the details from the October 9 event in New York City and Paris. Here's everything we know about the Google Pixel 3 and Pixel 3 XL.
Mobile

The Pixel 3a and 3a XL will be coming to the U.S. with T-Mobile

The Google Pixel 3 and Pixel 3 XL are considered to be two of the best Android smartphones, but it looks like Google could be prepping a midrange line. Say hello to the Pixel 3a and Pixel 3a XL.
Mobile

Keep your new iPad (2018) sparkling with the best screen protectors

Your iPad sports a stunning 9.7-inch screen and you'll want it to stay that way. The best iPad (2018) screen protectors guard against cracks, scratches, and even smudging from your fingers. Check out our top picks here.