87% of Android devices are insecure, University of Cambridge study finds

“It’s easy to see that the Android ecosystem currently has a rather lax policy toward security, but a recent study from the University of Cambridge put some hard numbers to Android’s security failings,” Ron Amadeo reports for Ars Technica. “The conclusion finds that ‘on average 87.7% of Android devices are exposed to at least one of 11 known critical vulnerabilities.'”

“Along with the study, the University of Cambridge is launching AndroidVulnerabilities.org, a site that houses this data and grades OEMs based on their security record,” Amadeo reports. “The group came up with a 1-10 security rating for OEMs that it calls the ‘FUM’ score. This algorithm takes into account the number of days a proportion of running devices has no known vulnerabilities (Free), the proportion of devices that run the latest version of Android (Update), and the mean number of vulnerabilities not fixed on any device the company sells (Mean).”

“The study found that Google’s Nexus devices were the most secure out there, with a FUM score of 5.2 out of 10. Surprisingly, LG was next with 4.0, followed by Motorola, Samsung, Sony, and HTC, respectively,” Amadeo reports. “With 87% of devices flagged as insecure on any given day, the study really shows how far the Android ecosystem has to go to protect its users.”

Read more in the full article here.

MacDailyNews Take: “Open” – to infection. Android is the open sore of mobile.

When you buy garbage, expect to be treated like garbage.

Apple cares about their users because they are responsible for the hardware, the operating system, and the ecosystem; the whole enchilada. They are compelled to strive for high customer satisfaction in order to secure repeat buyers. There is no “Android” per se. Alphabet Inc. is the closest you can get to that and that gets you a whopping 5.2 security rating out of 10 – for an insecure knockoff of the real thing, no less! Not a smart purchasing decision. Like we always say, choosing an iPhone vs. an “Android” iPhone knockoff is like an IQ test.

If it’s not an iPhone, it’s not an iPhone.

Apple issues iPhone manifesto; blasts Android’s lack of updates, lack of privacy, rampant malware – August 10, 2015
New Android malware strains to top 2 million by end of 2015 – July 1, 2015
Symantec: 1 in 5 Android apps is malware – April 25, 2015
Kaspersky Lab Director: Over 98% of mobile malware targets Android because it’s much, much easier to exploit than iOS – January 15, 2015
Security experts: Malware spreading to millions on Android phones – November 21, 2014
There’s practically no iOS malware, thanks to Apple’s smart control over app distribution – June 13, 2014
F-Secure: Android accounted for 99% of new mobile malware in Q1 2014 – April 30, 2014
Google’s Sundar Pichai: Android not designed to be safe; if I wrote malware, I’d target Android, too – February 27, 2014
Cisco: Android the target of 99 percent of world’s mobile malware – January 17, 2014
U.S. DHS, FBI warn of malware threats to Android mobile devices – August 27, 2013
Android app malware rates skyrocket 40 percent in last quarter – August 7, 2013
First malware found in wild that exploits Android app signing flaw – July 25, 2013
Mobile Threats Report: Android accounts for 92% of all mobile malware – June 26, 2013
Latest self-replicating Android Trojan looks and acts just like Windows malware – June 7, 2013
99.9% of new mobile malware targets Android phones – May 30, 2013
Mobile malware exploding, but only for Android – May 14, 2013
Mobile malware: Android is a bad apple – April 15, 2013
F-Secure: Android accounted for 96% of all mobile malware in Q4 2012 – March 7, 2013
New malware attacks Android phones, Windows PCs to eavesdrop, steal data; iPhone, Mac users unaffected – February 4, 2013

[Thanks to MacDailyNews Reader “Aparajita” for the heads up.]


  1. It seems that the makers and programmers of Android are either too stupid to know what’s going on in the real world, or don’t care.

    I had an Android device for a week, and had to go BACK to iOS simply because the Android device got so bogged down with Malware and viruses, plus the GUI was so screwy, that it took me a week just to find out how to add a name to the contact list.

  2. All these discussions about security still appear to be largely academic. We have yet to witness a Melissa-type outbreak, with severe consequences for a massive number of users.

    The point is, we will debate fandroids about security till we’re blue in the face but the only thing that will make them shut up will be a massive and debilitating infection. This has yet to happen.

      1. There probably has to be a significant ‘outbreak’ of malware experienced by users on Android, similar in level or horror of the diseases you mention, for it to make people turn away. Predrag is simply making the point that that has not happened to date. To date all such claims for Android malware is for POSSIBLE not ACTUAL infected.

        1. In the example I posted, the minimal expected infection is 200,000 devices. Note that the Brain Test malware arrived amidst the ongoing nightmare of the Stagefright and Stagefright 2 dirt-easy to enact series of Android exploits. I stick to my summary word of ‘catastrophe’, with no sign of Google bothering to mitigate malware beyond their Oops-Too-Late removal of existing infecting software. The Brain Test malware demonstrates the emerging strategy of using one infection in order to both invite further malware infections and to re-infect devices that have had the source malware ‘removed’ by way of root kit functionality.

          My best guess at the moment is that what riles up people is something simple and massive. All this ongoing series of exploits and massive infections doesn’t register because it is relatively complicated and is taking place over an extended period of time, versus being a punctuated event.

          It’s entirely possible I notice these things so clearly because I’m researching computer security every day on the net and chattering about it with other computer security researchers. To me, it’s all rather obvious. I attempt to help other people notice as well.

          Another example: There’s an ongoing and spreading crisis of ATM machine hacking going on across the world, to the point where I wouldn’t recommend using any ATM except that specific to your bank. Check out Brian Kreb’s research of the situation if you want to get suitable scared. But this issue has not yet penetrated mass human comprehension. It will!

    1. A massive Android security breach seems inevitable and frankly I hope it happens to permanently shut up the Fandroid Feckless Fools. (Even though there will be a few pathetic Fandroid diehards who will try to paint it as a positive thing as in “Don’t believe your eyes, believe what I tell you.”)

        1. Was it really “mitigated” if only a few of the at-risk Android devices ever got updated due to lack of interest in the OEMs in pushing out updates to existing handsets and tablets using older, vulnerable versions of Android? Just because a fix was published for the vulnerability, the problem is never really “mitigated” in the Android ecosystem unless that fix is actually installed in all the vulnerable population of devices that can be affected by the exploit. That is Android’s fatal flaw.

          1. By ‘mitigated’ I mean that Google used their malware removal process within Android to pull the malware from the affected Android devices. My understanding is that this action is universal across all Android devices, it being an aspect of Android that is NOT messed up or altered by the various device manufacturers. It’s a good feature to have! I can’t complain about that. The problem is that there’s no vetting before hand and Google’s removal process is obviously FAR too late in an infection cycle. Allowing ‘1 million’ Android devices to become infected, especially with Brain Test, which is effectively a Root Kit, is unacceptable by any definition.

            Again: Shame on Google.

            1. Exactly. I was just saying to Xennex1170, this root kit behavior is a new twist in Android malware, one that’s going to become common in the near future. You delete the thing, and it’s back again almost immediately. It’s very reminiscent of the worst days of Window virus infections.

              Google aren’t stupid. I suspect they’ll find a way to dig up root kits. But again, the fragmAndroid situation is going to get in the way specifically because not all Android installations are the same on different hardware. Fragmentation is a persistent problem that’s not going away.

            2. From what I remember about rootkits, they tend to be specific to HW.. Perhaps Android’s fragmentation is a double edged sword that in this case hinders certain malware from affecting the entire population. Result will likely be a move to a non-affected HW platform by a different OEM or a bit less likely completely switching OS depending on how stuck they are to the Android/Google ecosystem..

            3. Excellent point. I was just reading about exactly that in an eWeek article about the Brain Test malware on Android:

              Breaching Android security is no trivial matter, and the BrainTest malware includes four different privilege-escalation exploits in order to gain root access on a device. Shaulov noted that the need for four exploits has to do with the Android device fragmentation.
              “Different flavors of Android and different devices require different exploits because the kernel or drivers that are vulnerable are different,” Shaulov told eWEEK. “As an example, one exploit will successfully work on a Galaxy S4 device running Android 4.4 while another exploit will run successfully on a Google Nexus device running Android 5.”

              There are some rootkits (I’m used to writing ‘root kit’ for some reason) that dig into the firmware and live there. We’ve seen some proof-of-concept rootkits for EFI, USB and Thunderbolt hardware. Most rootkits, however, bury themselves into the kernel level of an OS.

              The article about Brain Test over at Forbes.com says:

              …That means those infected have to go through the somewhat complex process of reflashing the device to truly get rid of the malware.

              I interpret that to mean that the root kit has dug into the firmware of the infected devices. But so far, I’ve found nothing that explicitly says so.

    2. I have a suspicion that this has not happened yet because criminals aren’t sufficiently motivated. The most damage someone can usually do is make the phone call a toll number, or send nude photos to be posted to the internet later.

      If Samsung Pay and/or Google Pay catches on, this thing may explode.

  3. Fifteen years ago, when we were arguing the superiority of Mac over Windows, all we needed was to point the finger at around 70,000+ (at the time) out-in-the-wild pieces of malware infecting hundreds of thousands, later millions, of zombie computers in botnets around the globe. During the System 9 years, there was a running total of less than a 100 malware titles, including those that used to spread only via infected floppy disks. OS X brought that number down to zero, and after 15 years of OS X, the comprehensive list of OS X malware (trojans, keyloggers, etc) fits on a single page of paper (single-column, 12pt type).

    The official list of Android malware apps counts over 1 million of them; however, none had visible impact on the productivity and usability of devices. While I don’t doubt that many of them were quite effective in what they do (collect user names / passwords, rack up fraudulent mobile charges, etc), their reach was so sporadic that it flew below the public radar and we never heard of a massive scandalous outbreak that even my wife (a tech Luddite) would hear about (as we used to, rather frequently, about Windows).

    As I said above, the only thing that will de-relativise the discussion about security on Android (vs. iOS) will be something of the old Windows magnitude. I am truly curious what are the reasons why such an event hadn’t happened yet, considering that the platform is quite ripe for it.

    1. Because Android is run on personal mobile devices where people store and save personal information that most don’t care about.

      Windows was installed in enterprise/government networks, where once you infect one system you can move through the entire network gathering data or wreaking havoc.

      I would also argue that the Android OS (Linux based) is much more secure than Windows ever was – meaning a lot less holes that a virus can sneak in through.

    2. Mac OS, through version 9, had a total of 58 different malware. That’s the generally accepted number. There was never an acceleration curve of Mac OS malware. They’d show up here and there and none of them lasted long because there was always free anti-malware available to wipe them all out of a system or off floppies, including free fixes from Apple for every running Mac.

      The same situation is the case with OS X and with iOS.

      What’s going on with Android is:

      1) A STEEP acceleration curve of increasing malware on Android, demonstrated across the last three years.

      2) The IMPOSSIBILITY of patching all Android devices, thanks specifically to the fragmentation situation.

      3) Effectively NO vetting of Android software before they’re made available to and installed by users, until AFTER a mass infection has taken place. In a very recent infection, “up to 1 million” devices were infected before Google brought to a halt.


      Chinese Cybercriminals Breached Google Play To Infect ‘Up To 1 Million’ Androids

      When Google employed a digital Bouncer to keep reprobates out of its Android app market, it knew some would slip through the net. Indeed, the tech titan’s heavies forced cybercriminals to come up with ever-smarter ways of breaching Google Play security, as has been proven by a group of hackers, who appear to be Chinese. Their malware, say security experts, has infected at least 200,000 Android phones, possibly as many as 1 million.

      In the last month, the hacker crew has placed its malicious software on the store under the guise of a Brain Test app. The application managed to install a backdoor for adding further malware, whilst installing a rootkit, a type of software that situates itself deep in the operating system. On affected Android devices, the rootkit allowed the hackers to ensure that even when the victim deleted the app, it would appear again after reboot, said researchers from security firm Check Point. That means those infected have to go through the somewhat complex process of reflashing the device to truly get rid of the malware. . . .

      PLEASE read the rest of this article. It’s stunning. How’s that for a ‘mass infection’?

      SHAME on Google.

    3. I guess the malware world has matured, in the sense that they still prey on their victims, but now without killing them. Much more effective, much more sustainable business model.

  4. This reminds me so much of the Windows security situation, which turned into a long term flame war. But for all the ScARy prediction FUD of Mac OS X security DOOM (started by Symantec in 2005), it never happened.

    Now it’s a pointless flame war of iOS versus Android. As usual, there’s no such thing as perfect security. iOS still runs into situations where malware sneaks into the App Store. The latest situation was the XcodeGhost mess created by a WAREZ version of Xcode in China. But these iOS messes are calm seas compared to the INNATE security catastrophe that is Android.

    Toss in FragmAndroid and Android is seriously a hopeless security catastrophe.

    Meanwhile, Google uses their ‘Project Zero‘ as an excuse to divert attention away from their own problems by way of digging for exploits in OTHER COMPANY’S software, a clever marketing move. Dicks.

  5. Security is really about the user, too. Android is full of security holes, yes, but most geeks know what they’re doing.

    But, alas, 90% of the Android user base are NOT geeks, and tend to fall for every single shady product offer or what have you, and click on anything because “it looks interesting.”

    And that’s how they get you. Social Engineering is the most dangerous virus, and no program can stop it except the user.

    You must remain vigilant on the internet, or be taken advantage of.

    It’s a sad truth.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.