Google’s most recent report on Android security reveals that its mobile platform is safer than ever from bugs and malware, but that there’s a long way to go until everyone on Android can feel secure. That’s not to say that Google isn’t working on eliminating bugs and eradicating threats, it’s just that Google can’t control the way OEMs and carriers push out security patches.
Moreover, the report reveals that nearly one in three Android devices will never receive crucial security updates.
According to Google, 70.8% of existing Android devices are eligible for monthly security updates, while 29% aren’t supported. The first gadgets to receive the latest security updates are its Nexus smartphones and tablets. Since August 2015, Google has provided monthly updates to its Nexus devices, releasing them to partners. However, only handsets running Android 4.4.4 KitKat or later can receive the updates once they pass approvals from manufacturers and carriers.
Google kicked off its monthly patches policy and the Android bug bounty following last year’s major Stagefright bug discovery. Samsung has committed to the program, and so have LG, BlackBerry, and Sony. But only a fraction of the 60,000 unique Android devices in the wild receive the updates regularly, Google noted in the report.
Google also said that it did not see any instance where hackers may have exploited the Stagefright bug.
The company said that as long as Android users download apps from the Google Play Store, the risk of malware is very small. Google detected infections on just 0.15 of the devices that get apps from the Google Play Store. The risk is 10 times bigger for apps coming from other app store repositories.
Ghost Push was the biggest malware threat of the year.
“For roughly seven weeks, Ghost Push installation attempts contributed up to 30 percent of all installation attempts worldwide. In total, we found more than 40,000 apps that we categorized into this family and we logged more than 3.5 billion installation attempts for these apps,” Google said.
The company estimates that some four million devices were infected and that it removed the threat from 90% of them.
The Android bug bounty also yielded some impressive results. Developers independently found 58% of the 69 critical bugs Google patched during the year, which netted them a total of over $210,000. Google fixed a total of 173 Android bugs last year, compared with 79 in 2014.
Tim Cook famously used a quote from the press on stage during WWDC 2015, referring to Android security as “a toxic hellstew of vulnerabilities.” It looks like the hellstew is still there, but Google is getting better at fixing the bugs