Nearly 90 percent of Google’s Android devices have been exposed to critical vulnerabilities, according a new study.
“Unfortunately something has gone wrong with the provision of security updates in the Android market,” according to the study, which researchers from the University of Cambridge presented this week at the 2015 ACM CCS Workshop on Security and Privacy in Smartphones and Mobile Devices held in Denver.
Three attack vectors were analyzed for the study: Installation, dynamic code loading and injection. The first two involve the installation of malware through malicious applications or software that users download, while the third refers to the injection of malicious code directly into existing code on a device through a website.
Related Story: http://www.washingtonexaminer.com/article/2574118/
Out of 32 known vulnerabilities, the authors selected 11 particularly virulent exploits to conduct their analysis, and found “on average 87.7% of Android devices” were vulnerable. “Using a corpus of 20,400 devices we show that there is significant variability in the timely delivery of security updates across different device manufacturers and network operators,” the researchers wrote.
However, they noted, “This does not mean these devices are attacked, but that they are vulnerable. The likelihood of a successful attack then depends on what apps the user installs and where from, as well as the computer networks the device is connected to and the actions the user takes whilst connected.”
They also observed that Apple iOS devices don’t have the same vulnerabilities.
“As well as supplying security updates promptly, the impact of vulnerabilities can be reduced through security in depth,” the authors wrote. “In this regard, iOS provides additional safeguards beyond those used in Android, including a pre-distribution review, mandatory code-signing by the manufacturer, and … the technical prohibition of dynamic code loading by an app.” In other words, Apple does substantially more to prevent applications from being able to download strange code.
“These features, combined with mandatory access controls, has resulted in a lower level of malware affecting iOS when compared to Android,” they concluded.
Related Story: http://www.washingtonexaminer.com/article/2573651
This month, cybersecurity firm FireEye reported the discovery of Chinese malware that had spread to Android devices in more than 20 countries through malicious applications. It is unusual for Apple devices to experience similar attacks unless they have been “jailbroken” by users.
