Unless you bought the phone or tablet recently, odds are high that
your Android device is running an outdated version of the operating
system, exposing you to serious security risks.
The latest data from Google
shows that 44 percent of Android users are still on "Gingerbread," or
versions 2.3.3 through 2.3.7, which was released two years ago.
Gingerbread has a number of security vulnerabilities which have been
fixed in later versions. The OS breakdown data is based on statistics
collected from Android devices connecting to Google Play from Feb. 22 to
Just 16 percent of Android devices are running version 4.1 or 4.2 of
the mobile operating system, according to Google. Also known as "Jelly Bean
the latest Android version was released six months ago, but a majority
of Android users have not been able to upgrade to the new OS because the
process is tightly controlled by the carriers.
"The problem with Android is that most people have old versions on
their phone," Collin Mulliner, a postdoctoral researcher with the SECLAB
at Northeastern University in Boston, said during a mobile security
panel discussion at last month's RSA Conference.
At our SecurityWatch Summit
last fall, Dan Guido, CEO and co-founder of Trail of Bits, noted that the majority of iOS devices are updated
within weeks, it not days, of Apple releasing the new operating system.
Mobile Carriers Lag on Updates
"One of the most
important things in software security today is the ability to remotely
update," Mulliner said on the panel. While users can initiate the
operating system update on their own for iPhones and iPads, Android,
mobile carriers control the entire process for Android devices. At the
moment, their collective record for pushing out updates for users is
The problem is that Android's open platform allows device
manufacturers and carriers to tweak the operating system to bundle extra
software and set certain configuration settings. Whenever Google
releases an operating system update, both the vendor and carriers have
to test the changes against their homebrew systems before rolling out
the latest version. The carriers claim this is a slow process, but many
security experts believe carriers are prioritizing profit over security.
Some phones just don't get the latest Android update because they are
being phased out or are older models, Chris Soghoian, a privacy
researcher and activist, said at a different event earlier this year.
Manufacturers focus their efforts on devices currently for sale and
coming to the market, and wireless carriers "only care about you once
every two years" when the user contract is up for renewal, Soghoian
said. For example, an LG Android smartphone didn't get its first OS
update for 16 months, and many phones never even get that first update,
let alone a second one.
Considering that Google has pushed out a new version approximately
every six months, it's easy to see how quickly users can become
A drive-by attack, where the user is compromised just by visiting a
malicious site, is not the biggest threat facing Android users, Charlie
Miller, a researcher well-known for his work on iOS and Android
security, said during the same panel at the RSA Conference.
"People think that drive-by is a big threat, but in real life they
just don't happen," Miller said. When it comes to Android, the biggest
risk facing users is the fact that their devices are running outdated
and un-patched versions of the operating system, he said. The latest
versions of Android have security patches and improved exploit mitigations
Cyber-criminals know users are running vulnerable operating systems.
All criminals have to do is release a malicious app exploiting a
vulnerability in an old version of Android, and hit a significant chunk
of the user base.
As Soghoian pointed out earlier, "You don't need a zero-day to attack
most Android devices if consumers are running 13-month-old software."
Unfortunately, this situation is not likely to change unless carriers
start taking security seriously, or Google wrests control of the update
process away from the carriers. The most secure Android device around
is the Nexus 4 smartphone from Google, as the company has full control
over the updates.