Google’s Android platform has a reputation for being vulnerable to hacking and malware, but the reality is that developers and hackers are continuing to play the a coding cat and mouse game. There are many scary statistics used in headlines detailing the number of devices that are potentially vulnerable to a security flaw. Stagefright was seen as being a potential hazard to around a billion devices, and the latest big name issue, Quadrooter, which is seen as being a potential threat to around 900 million Qualcomm-powered Android devices. We are seeing hackers and security investigators uncovering deeper and deeper issues in the Android platform code, but this points towards something often overlooked: the deeper we must investigate to find a critical glitch, the more hardened the outer layers of the operating system are. This is a simplistic perspective, but read on.
Mobile device security developers like to release scary statistics almost as though they are trying to frighten potential customers into downloading and using their safer-device products. For example, mobile security solution provider, 360 Security, explained earlier in the year that the damage attributed to mobile ransomware for all of 2015 amounted to 95.6 billion won (approximately £65 million or $86 million). Their statistics show that 900,000 devices were infected between June 2013 and the first quarter 2016. Another security business, AhnLab, collected almost 50,000 malicious app samples in the first half of 2016 designed to root a device. Once a device is rooted – that is, once third party applications can gain access to the whole of the storage and not just the ordinarily permitted space – the device is effectively compromised and can be made to do pretty much anything the developers want it to. AhnLab explain that the number of rooting applications is around four times that of the second half of 2015 – this is a relatively new trend in mobile device malware.
Where is the blame for this? As always, it is a complicated question to answer. Google has made some great steps to harden Android by releasing software patches on a monthly basis. Some manufacturers or brands, such as Google’s Nexus, BlackBerry, Samsung and LG (the latter two for some devices) take these critical vulnerability patches and apply it to their device software. Other companies, such as HTC and Motorola, do not give Google’s critical security patches the same priority. Motorola will get around to updating devices and HTC go so far as to hide the patch date update in devices running Android 6.0 Marshmallow, presumably so customers don’t realise the software on their handset is six months behind. It’s time for manufacturers to step up and take security updates seriously. Google also use the Bouncer application monitoring system on the Google Play Store, which is designed to detect malicious applications as they are uploaded. Bouncer is not perfect but it helps: mobile app security business, Seworks, states that around 80% of applications available on the Google Play Store are “vulnerable to hacking” and 166 of the top 200 free applications are “prone to the possibility of decompile-based forgery and falsification.” In other words, malicious developers can take the original application and re-make it with embedded malware. Bouncer should detect these issues, but it’s an arms race between the hackers and those who would keep our devices safe.
The biggest threat is still seen as going off-platform for third party applications and games. Downloading a non-Google Play Store application from an unknown third party application store with no equivalent to the Bouncer service is asking for trouble. Google provides a toggle for allowing customers to install non-Play Store applications; sticking with the Google Play Store and using a device that is actively supported with monthly updates goes a long way towards keeping malware able of damaging our data off our devices. We should also be encouraging legitimate developers to harden their applications to make it harder to decompile and clone, and of course we absolutely need to encourage manufacturers to update their devices – all of their devices – on the same monthly schedule as Google.