Some 29% of global Android devices are running a version of the OS earlier than 4.4.4, meaning they aren’t supported by security updates, according to Google.
The tech giant’s Android Security 2015 Annual Report had the following (h/t The Register):
“The Android Security Team regularly provides security patches to manufacturers for Android 4.4.4 and higher so they can provide security updates to their devices. 70.8% of all active Android devices are on a version that we support with patches.”
Google estimates in the report that the Android ecosystem features over one billion devices, in which case at least 292 million smartphones and tablets based on the operating system are at risk in the wild today, and probably many more than that.
They won’t benefit from Google’s laudable attempts to improve security in the ecosystem.
These include bringing Android into the Vulnerability Rewards Program to encourage white hats to find bugs, and the launch of a monthly public security update program and security update lifecycle for Nexus devices – the latter encouraging hardware partners to do the same, according to lead engineer, Adrian Ludwig.
These hundreds of millions of users will also not be able to take advantage of the security features in the latest Android version Marshmallow (6.0), which include full disk encryption; more granular app permissions; verified boot functionality; support for fingerprint scanners; and a patch level checker.
Google was keen to draw attention to other security accomplishments over the past year, including scanning 400 million devices each day automatically for network and on-device threats via Google Mobile Services; and Verify Apps, which has kept Potentially Harmful Applications (PHAs) off the vast majority of devices.
Just 0.15% of those which download solely from Google Play have installed a PHA.
Tripwire security researcher, Craig Young, argued that Google has done a great job of security in the past few releases of Android, but that this work has been undermined by users not upgrading.
“Unfortunately Android’s platform dashboard shows that there are more devices running completely unsupported software than there are devices running with the two latest (5.1 and 6.0) releases,” he explained.
“This is definitely a big problem for Android. Patching this bug in the Android ecosystem will probably mean more rules for handset manufacturers to follow if they wish to ship devices with Google’s proprietary apps.”