90% of Android Phones Are Running Outdated OS

A full 90% of Android devices are running out-of-date versions of the Android operating system (OS)—posing a significant potential risk for corporate IT environments.

A similar analysis of iOS devices meanwhile revealed that 50% to 80% of Apple iPhones are out of date. Outdated iOS devices have well-known vulnerabilities such as Ins0mnia and Quicksand that make these devices susceptible to attacks.

The findings, from Duo Security’s analysis of its installed base of more than 1 million mobile devices, show that the Android problem is slightly bigger than the iPhone issue. One-fifth (20%) of iPhones run the latest Apple operating system version, iOS 9.2, compared to 6% of Android devices running the latest version 6.0 (known as Marshmallow).

A third of Android devices don’t use passcodes on their lock screens (compared to just one in 20 on Apple devices).

Perhaps most concerning, about 32% of Android devices in use in enterprises today are running version 4.0 or older of the operating system, leaving them highly susceptible to vulnerabilities like Stagefright. Stagefright allows an attacker to compromise an Android device via an MMS message such as a video or photo, potentially allowing an attacker access from the device to corporate networks.

And, an additional finding reveals that one in 20 of all Android devices used in enterprises are rooted, leaving them vulnerable to numerous attacks. That’s compared to the one in 250 iPhones that are jailbroken.

Further, Duo estimates that over 20 million mobile devices connected to enterprise networks are no longer supported by the device manufacturer and therefore cannot be upgraded to the latest versions of the software, which would fix their vulnerabilities. In fact, there are many devices still on the market that cannot receive updates, meaning that even a brand-new device may be a security concern for the enterprise.

Again, this is more of an Android issue than an iPhone problem. Popular Android devices in use today, such as Galaxy S III, are no longer supported by older versions of Android due to hardware limitations. However, Apple continues to support system updates for iPhone 4S, released over four years ago

Many Android devices are running different, older versions of the OS. This is due to the large number of hardware manufacturers and models in the ecosystem—several studies, such as OpenSignal, suggest there are over 10,000 unique Android devices in existence. At Duo, if we eliminate devices in our dataset that are obviously emulators, then we can see over 3,700 unique Android hardware models.

The most popular Android device model is Samsung Galaxy S5, which represents 14% of Androids across all carrier models, followed by the Galaxy S4. Overall, Samsung holds 57% of the Android hardware OEM share on Duo, with LGE and Motorola far behind with 13% each.

With the growing number of personal mobile devices in the workplace, the findings should raise alarms for IT. If employees are logging into a company’s networks and apps with vulnerable devices, then the entire company could be at risk.

The research suggests that these platforms continue to become the dominant choice for accessing data and services, so understanding platform security on mobile becomes that much more critical. A full one in five authentication events come from mobile devices, and that number is on the rise.

“IT administrators need to gain visibility into the health of all devices accessing their critical applications so that they can better protect these apps and at the same time improve the overall hygiene of all the devices,” said Ash Devata, vice president of product at Duo Security.  

The findings dovetail with a December report from G DATA, which surmised that of the more than two-thirds of people worldwide who use Android’s operating system, more than 80% of them are using an outdated version. According to G DATA’s Q3 2015 Mobile Malware report, there also were 6,400 new instances of malware targeting Android devices every day in the third quarter—translating into a lot of risk.

Duo recommends that IT professionals implement the following measures to reduce the risk of compromised mobile endpoints:

•     Establish basic mobile device security policies for the company and get buy-in from business managers.

•     Enable all employees to use passcodes and fingerprint screen locks to prevent trivial access to sensitive data on mobile phones.

•     Consider excluding phones that are jailbroken or rooted from access to corporate data and systems.

•     Provide helpful tips and reminders to users to check for updates on personal devices accessing company data.

•     Update or replace outdated hardware in use in the enterprise that may no longer be supported with security updates by the manufacturer.

•     Recommend that employees using Android devices consider Nexus handsets with more frequent and direct platform update support.

•     Address common update issues up front with guidance on problems related to updating mobile devices, such as providing tips on freeing space for updates.

•     Encourage users to update during downtimes such as at dinner or before bed.

What’s Hot on Infosecurity Magazine?