Cape Town – Failing to update your Android smartphone could leave you vulnerable to a cyber attack, a security practitioner has warned.
According to Google’s Android Security Report, 70.8% of mobile phones are on the currently supported version.
However, Henry Hoggard a security consultant at MWR InfoSecurity said that vulnerabilities still exist for older operating systems.
“There are serious vulnerabilities such as Stagefright, affecting Android versions 5.1 and below. Devices can be compromised by simply visiting a website, or receiving an MMS message,” said Hoggard.
Stagefright is media playback service for Android and has been identified with vulnerabilities that could allow a cyber criminal to access files or execute code.
Ecosystem
READ: Dangerous banking malware targets Android
Google’s report did not find any instance of a Stagefright exploit in the wild.
“As of this writing, we have not observed, nor are we aware of, any successful attempts to exploit the Stagefright vulnerabilities against actual user devices,” says the report.
Hoggard said that Google’s estimation of vulnerable devices was inaccurate.
“Using stats from the Android Developer Dashboard, we can see that at least 76% of devices would be at risk, instead of the reported 29%.”
Google data shows that 35.6% of Android users are on Lollipop (5.0 and above), 32.5% on KitKat (4.4) and 20.1% on Jellybean (4.1). Just 7.5% of devices run the latest Marshmallow (6.0) operating system.
READ: Advertising malware targets SA smartphones
Unlike Apple which controls the device ecosystem, Google depends on manufacturers to update devices.
“This illustrates the challenge that Google - and the Android user - face: A patch gets written at Mountain View, picked up by a manufacturer sometime, handed off to a service provider, and pushed to the user over-the-air,” said Hoggard.
Google’s report showed that it reduced Potentially Harmful Applications (PHAs) to 0.5% on devices and 0.15% on the Google Play Store. PHAs are defined as applications that may “harm a device, harm the device’s user, or do something unintended with user data”.
Google in 2015 paid out $210 161 to researchers who discovered vulnerabilities in the Android operating system.
Do you heed update notifications for your smartphone? Let us know
- Follow Duncan on Twitter