Generally speaking, when it comes to being as secure as possible (and, just as importantly, staying as secure as possible) newer is better. This is certainly the case if we are talking mobile operating systems such as Android and iOS.
As of the start of March 2017, according to Apple's own metrics some 79% of Apple mobile devices are using the latest iOS 10. Pretty good rates of adoption considering this version of the OS is only six months old.
Now compare that to Google's official figures which reveal that as of March 2017 just 0.3% of Android devices are using the very latest 'Nougat' Android 7.1 version of the OS. Even if we fold in the numbers using the initial Nougat release, Android 7.0, the total barely scrapes over the 1% usage number at 1.2% to be precise.
Being really liberal with my interpretation of 'latest' and 'most secure' operating system versions for Android, which means I also fold the Marshmallow Android 6.0 version into the mix (and that has been around since December 2015 remember) it cannot manage to get up to even a third, sitting at 31.9% in total. That number is, from a security analyst perspective, truly shocking.
But not surprising.
Seriously, nobody should be surprised that Apple can get as high as 79% latest OS penetration given the control it has over the devices people use. I am surprises the number is even higher. Neither should we be surprised that the Android numbers are so low; market fragmentation pretty much ensures that Android users will never be up to date unless they stick to a handful of specific device models.
Those models will not only get the latest versions of the OS, but by so doing they will also be on the receiving end of the monthly security updates that patch known vulnerabilities in-between of major point releases.
Users of handsets that use older versions of the OS, will not be savvy to these updates. Nor, as a rule, will they ever get the base Android OS updated and so they will remain at risk of compromise.
I'm not even going down the route, or more literally 'root' of flashing a custom ROM and rolling out your own custom security measures. That's simply not in the realm of the average smartphone user, and it's the average user that's going to be most vulnerable to attack and most likely to be using a device that isn't updated regularly, if at all.
As Art Swift, President of the prpl Foundation (a non-profit that supports open source software) says "end users are lax about installing updates, but the Android phone makers and wireless carriers often don't provide them for older Android phones" which means, according to Art Swift "they just move on to the next model and leave their users stranded. This fragmentation is a fundamental weakness of Android vs. iphone."
So does it come as any surprise that incidents of Android ransomware, for example, are up 50% across 2016? Researchers from ESET made the claim in the 'Trends in Android Ransomware' white paper ahead of the Mobile World Congress in Barcelona at the start of March. Juraj Malcho, the ESET CTO, says "altogether we saw an increase in Android malware detection by around 20 percent, with ransomware on this platform growing at an even faster rate."
According to that ESET research, the authors of lock-screen and file-encrypting crypto-ransomware were essentially just copycatting desktop malware techniques as well as adding a few sophisticated methods to target Android devices specifically. These have included threat actors who both encrypt and then bury malicious payloads ever deeper into infected apps to make detection harder. Malcho calls ransomware for Android a "full-scale global threat" although you might think 'security vendor with product to sell scares customers' is nothing new. True enough, but the research does back up the claims and I've seen similar findings from other researchers.
The truth of the matter is that actually infecting an Android device isn't that easy, and it usually takes a fair bit of unwitting (or unthinking) cooperation from the device owner. Google has built in a number of barriers, even for those who don't use a third party malware protection app or two. So again, I'm not surprised to see malware attempting to con the user into granting device administrator privileges using 'tap jacking' techniques.
A tap-jack is where the malware developer creates overlying layers. One, which is fake and displayed to the user, sits over the other that actually grants those device admin rights. When the user clicks the foreground permission or activity that they are seeing, the device admin privilege is being granted in the background.
Once granted, the malware can protect itself from uninstallation for example. It can also use these privileges to change a lockscreen PIN in the case of basic, but often effective enough, ransomware infection. Those in the know will know that this is not the end of the world, or their data on that device. Resetting the lockscreen using Google's Android Device Manager (or a third party, bells and whistles, alternative) is usually all it takes.
Google does what it can, outside the scope of dealing with the Android fragmentation problem it faces, to keep malicious apps out of users hands. With more than 1.5 billion (yes, you read that right) Android devices out there and in active use, Google checks billions of apps and close on a billion devices on a daily basis looking for threats.
The director of Android security for Google, Adrian Ludwig, is on the record as stating that his focus is on the "fundamentals of keeping a single Android device safe" on the basis that "keep one device secure and keep them all secure."
When you take into account that there are more than 5,000 different Android device variations which have hit the market since the summer of 2015 alone, that's quite a task to achieve. That said, breaking a highly fragmented and high volume market problem down to the macro-level does seem the only way to go for Google.
For Ludwig, and Android, that means three basic tenets of delivering a robust platform, with comprehensive services and within a secure ecosystem of applications.
The delivery of encryption to the masses is perhaps one of Google's biggest successes with Android, at least from when it was introduced with Lollipop Android 5 back in 2014. Initially it was a slow roll out with just 1% of Lollipop users adopting the available encryption functions. When Android 6, Marshmallow, was introduced in 2015 that take-up rose to 20% and currently with Nougat Android 7 users it sits at 80% implementing encryption. Ludwig puts this success down to two things: delivery and making it on by default.
Which is where the security updates come in again. In February 2017 the update delivered patches for 58 Android vulnerabilities. That's nearly 60 opportunities for compromise that are still available to threat actors looking to the vast majority of Android device users. Eight of them are rated as critical by the way, including a remote code execution vulnerability in the Android Surfaceflinger graphics library.
The SonicWall Annual Threat Report points out that Google has something of a mountain still to climb though. Take those tap-jacking attack methodologies I mentioned earlier. Google responded to these by making it harder to use overlays, and threat actors simply responded (as observed by SonicWall researchers) by tricking users into giving them permissions to enable overlays to be used anyway.
The SonicWall GRID Network also saw criminals continuing to use third party app stores to distribute their infected wares. Why would anyone go to such a place rather than the official Google Play Store you may wonder? Especially seeing as the user must specifically enable their device to allow downloads and installation of applications from non-official sources.
The answer is simple: in order to find the applications they want. Such as 'adult' themed apps, for example. Which SonicWall saw continuing to be declined at the Play Store but available in droves elsewhere. Unfortunately, those elsewhere stores won't have the same levels of background security checking that goes on at official store runs by the likes of Google (or, indeed, the infamous walled-garden app store that Apple oversees) and so be left exposed.
SonicWall researchers conclude that both ransomware and self-installing apps were a common payload. The SonicWall GRID Threat Network observed more than 4,000 distinct apps with self-installing payloads in a matter of just two weeks...
A report from Sophos Labs, meanwhile, was based upon some 8.5 million suspicious Android apps that were process by its systems in 2016. The report reveals a 'Top 10' of Android malware families. Andr/PornClk sits at the top of the pile and accounts for more than 20% of all cases reviewed by Sophos in 2016. Close behind, on 13%, was the Chinese-originating SMS sender Andr/CNSMS and in third place on 10% was the rootkit Andr/DroidRT.
PornClk itself makes money through both adverts and membership fees, taking advantage of root privilege and admin access on the compromised device.Once it has these it will download additional APKs, create shortcuts on home screens and collect sensitive information including device IDs, phone models, Android versions and Geo IPs.
Moving on to the Webroot research folk, their 2017 threat report reveals nearly 10 million new or updated apps classified as malicious or suspicious across 2016.
To put this into some context, across 2015 that number was 2 million.
Nearly 10% of these were adware, likely because Android continues to dominate the mobile market in terms of devices out there. Like Windows on the desktop, this market dominance makes Android an attractive target for adware pushers.
Trojans, meanwhile, continued to be the majority player when it came to mobile threats; accounting for 60% for the second year running.
Finally, as if there weren't enough bad news here already, I will finish with the AV-Comparatives test of 110 Android security apps that makes for disappointing reading. With third party apps being the most likely area that end users turn to in order to protect their Android device from compromise, these need to be up to the job. Of the 110 that AV-Comparatives tested, a quarter failed to offer any protection at all. Just as bad, only a third offered 'very good' protection against threats.
Almost a quarter of the apps in the test managed to defend against all 1,000 malicious samples thrown at them. But the same number failed recognise even a third of the samples. Some actually recognised zilch, nada, zip and none of them.
As Andreas Clementi, CEO of AV-Comparatives, says "this test shows clearly that when it comes to security, users cannot rely on numbers of downloads or user ratings to determine how effective an app is. Almost all of the apps we tested had user ratings of 4 or above out of 5 in the Google Play Store, but over a quarter of them failed to offer even basic protection against common threats."