Speaking at the RSA security conference in San Francisco, Director of Android Security Adrian Ludwig claimed that despite the Stagefright vulnerability putting more than 95% Android devices at risk, there were no confirmed cases of this bug being exploited in the wild.
A similar story existed for the Masterkey vulnerability of 2013. This vulnerability affected potentially 99% of Android devices, but exploits that abused this vulnerability peaked at less than eight infections per one million users. Furthermore, there were no exploits available before the flaw was made public.
And once again, the FakeID flaw from 2014 affected potentially 82% of Android devices, but exploits peaked at one infection per one million users. This, too, was after the details of the vulnerability was released, and no confirmed cases of the bug being exploited existed before that. This implies that attention to the existence of vulnerabilities aids in the propagation of their exploits.
Ludwig’s statements on the numbers primarily revolve around Android devices that have Google Play Services installed. This thus excludes the fairly large number of Android devices in China, as well as Android devices that do not ship with Google Play Services.
“Most of the abuse we get isn’t interesting from a security perspective. We see spamming ads for fake antivirus stuff but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps.”
On devices that do have Google Play Services installed (a good 1.4 billion Android devices), malware detection routines in the form of Google’s “Verify Apps” feature provide information to Google on the propagation of exploits, so Mr. Ludwig is confident of his figures.
On the surface, Mr. Ludwig’s statements can be interpreted to imply that external reports on Android security fall on the side of fear-mongering. Recent exploits were hyped up and presented as greater threats than they actually were, as the devices infected by the exploits were just a tiny fraction of the total number of vulnerable devices. Furthermore, the malware situation on Android is more lopsided towards adware spread through shady apps downloaded by unsuspecting users, rather than malicious code injections and privilege escalations.
Even then, we would argue that these exploits and vulnerabilities are crucial and should be publicized. A shining example of why is Stagefright itself. We called Stagefright the exploit that changed Android not because it affected 95% of devices, but because it renewed focus on Android security.
The publicity behind the Stagefright vulnerability was responsible for Google initiating the monthly security update program for supported devices. Subsequently, it also helped shine light on which OEMs actually care about the security of their devices, with BlackBerry leading the pack with consistent security updates every month.
The point of security is not to wait until risks become a hazard, but rather to implement measures preventing one from reaching that level. While one could argue that security risks on Android are overrated, we would say that they do serve their own purpose of making Android a mature OS.
What are your thoughts on Android security vulnerabilities? Do you think they are overpublicized? Let us know in the comments below!