Another day, another Android vulnerability – This time there are multiple though, thanks to Google for ignoring old devices.
Every operating system needs to get constant updates in order to receive the latest security patches. Otherwise, there’s a risk of hackers exploiting zero-day vulnerabilities. Keeping this in mind, the Android operating system receives updates regularly from Google. However, there’s a problem here.
According to the very recent Android Security Bulletin published on the 2nd of March, no updates were issued for any Android version below 8.0 which essentially means that every device on 7.0 or below is left vulnerable. Timeline wise, these phones would be those that were first available for sale in 2012.
A snapshot from the security bulletin detailing system vulnerabilities, note the updated Android versions on the far right not going below 8.0.
Initially reported by Which?, using “Google’s own data from May 2019” they found that 42.1% of Android devices worldwide are using either version 6.0 or below leading every 2 in 5 Android smartphones to be vulnerable.
To further make sure this was the case, a test was also conducted on 5 different devices:
- Motorola X,
- Samsung Galaxy A5,
- the Sony Xperia Z2,
- Google Nexus 5,
- Samsung Galaxy S6.
Excluding the Samsung Galaxy A5 which was released in 2017 and could be updated to version 8.0 of Android, all the other smartphones were 3 or more years old and had a maximum capacity of being updated to version 7.0. Once these were selected, AV comparatives, an antivirus lab was asked to test these devices by trying to infect them with malware. No surprise – they succeeded with the results given below:
But this isn’t the scary part yet. If viewed by what a firm close to its size and clout is supposed to do, Microsoft supports its versions of Windows for about 10 years. On the other hand, Google has not shown much care in response to the aforementioned revelations.
In fact, Which? has reported that when it contacted the tech giant to know how many devices in the UK were vulnerable in light of the above analysis, it declined to comment. Furthermore, they only gave them information on how long its own manufactured devices – Nexus and Pixel models will be supported directing them to contact the device manufacturers themselves in the case of another brand.
Google’s response isn’t new. Earlier today, HackRead published a report on an exposed database leaking 201 million personal, property and demographic records of American citizens. The researcher behind the discovery reported the incident to Google since the database was hosted on Google Cloud Server yet he never received any response from the company.
Nonetheless, we do have a certain amount of hope from a couple of projects mentioned by Google in their response like Treble and Mainline which are geared towards making security updates easier and more accessible for both manufacturers and end-users.
It is important to note though that both of these are far from being fully functional at the time being and hence we don’t know for sure if they will solve security problems.
For readers who currently find themselves with an old device, it is recommended that you try to update your operating system via System settings. If this is not possible due to a lack of in-built support, you can either go for a newer smartphone or perhaps start being more cautious in terms of the apps & other content you access on your phone.
Additionally, you should install good anti-virus software to bring in automation making your job easier. Stay safe online!