Duo Security has done a study using its X-Ray tool, which instead of scanning for malicious apps installed on the device, takes a different approach to security. It performs a vulnerability assessment to look for unprotected vectors on phones that could be exploited by an enterprising hacker.
“As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years,” said researcher Jon Oberheide, in a blog post. “While it’s well-known in the security community that slow patching of vulnerabilities on mobile devices is a serious issue, we wanted to bring greater visibility to the problem.”
Since launching X-Ray a few months ago, Duo has collected results from more than 20,000 Android devices worldwide. Extrapolating from the sample, the research estimates that more than half of Android devices have unpatched vulnerabilities that could be exploited by a malicious app or adversary. And that number, Oberheide says, is conservative.
“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc.) has performed thus far,” said Oberheide. “We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.”
Android malware has been on the rise this year, becoming one of the more common mobile threats vis-a-vis security threats against the iPhone and other mobile platforms. In fact, malware incidents are at their highest point since 2009, according to McAfee, with Android attacks making up the largest target group.
New malware leaped from 70,000 instances in 2009 to almost 90,000 so far this year, according to the 'McAfee Threats Report: Second Quarter 2012'. And when it comes to targeting Android-based mobile devices, “it is fully functional and mature, and mobile malware writers know what they are looking for: consumer and business data,” the security firm said.
The latest method of Android infection is through malicious websites – a gambit that is well-known from the PC world. "If much of Android malware seems familiar to PC malware, it should come as no surprise," the report says. "Malware writers leverage the expertise they honed during the years of writing malware for other platforms."