Cambridge University study finds 87 percent of Android devices vulnerable to attack

BY GreenBot Staff

Published 13 Oct 2015

Android hset makers’ failure to deliver timely security updates leaves almost everyone open to attack.

That’s among the conclusions of a study from Cambridge University that sought to quantify just how bad the Android security situation had become.

To compile the data, the group of researchers published a Data Analyzer app to the ay Store. ong with giving a lot of people the ability to participate, it ensured that phones without ay services that are targeted at emerging markets weren’t calculated into the results. As a result, the team acquired data from 20,000 different Android devices, with most being from major manufacturers like Samsung, G, HTC, Motorola. You can download run the app yourself to give the team more data to work with.

The research, which was partially funded by , is ongoing. So you can download the app to your own Android phone to contribute.

th the data, the Cambridge group then created a score for how quickly all the major manufacturers were applying the latest security updates to their devices. The full results reveal that it isn’t a pretty picture.

vulnerable chart

Data for the research was collected from over 20,000 Android devices running the data analyzer app.

y this matters: The Stagefright vulnerability demonstrated how quickly one security issue could threaten a ton of devices. That’s because Android updates run into a bottleneck. After releases a new version or security fix, the manufacturers have to incorporate it into their own split-off versions of the Android OS before spiriting it off to your device. It’s even worse with carrier-bred phones, as the carrier must also test approve the updates before they come to you. This contrasts sharply with how updates work on iOS. Apple pushes a button, it heads right to everyone’s ione.

Nexus is best, but everyone needs to elevate their game

The Cambridge team created a FUM score to compare the security provided by the different devices. As the chart indicates, Nexus devices are at the top, with leading the other third-party manufacturers.

fum score

The scores detail how well (or poorly) Android manufacturers are doing with securing their devices.

Even with the pledge of monthly security updates, no one besides Nexus devices scored above a five out of 10. That could change over time, but it’s too early for us to know how effective these monthly patches are, whether or not the manufacturers will hold to this promise over the long term. so, the monthly security patch promise doesn’t solve the bottleneck problem—outside of full-price unlocked phones, carriers still hold the keys to when phones get updates. 

Researcher Dr. iel gner summarized the core of the problem.

” has done a good job at mitigating many of the risks we recommend users only install apps from ’s ay Store since it performs additional safety checks on apps,” he said. “Unfortunately can only do so much, recent Android security problems have shown that this is not enough to protect users. ones require updates from manufacturers, the majority of devices aren’t getting them.”

Fortunately, if you stick to ay Store apps don’t download any shady software from outside sources, you should be fine. But when it comes time to upgrade your phone, you may want to check back with the Cambridge team as part of your decision about which phone to buy.