Skip to main content

Why you should care about Android malware and the importance of security patches

Android dudes
Android dudes (Image credit: Jerry Hildenbrand / Android Central)

When you're king of the hill you are a target for everyone and everything. Sometimes that's great — LG's G6 is an awesome phone that wants to compete with the Galaxy S8 because the GS8 will be the king of the Android hill. Other times it's not, and security company G Data takes a look at one of those not-so-great times.

When you're on top you are a target.

Android's market dominance means it is the main target for people writing malware. Just like Windows for your PC, the fact that more than 70% of smartphone users worldwide use Android means it's where you want to focus if you're trying to steal user data. There is certainly malware for iOS, and probably Windows 10 Mobile, but to increase the odds, Android is the target.

G Data forecasts that it will see 3.5 million cases of malware for Android in 2017. A look at the numbers since 2012 shows that it's not making an outrageous claim, either.

Image courtesy G Data.

Image courtesy G Data.

There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.

Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.

More Androids run Gingerbread (2010) than run the current version.

Forget about the Pixel or a Nexus for a minute. They have to be updated because there is no way Google can say that these updates are really important if they aren't. Google may be silly sometimes, but not that silly. But BlackBerry? It's hard for me to imagine any scenario where you can set the bar lower than using BlackBerry as the example.

BlackBerry (the software company from Canada) is a company that operated a month away from bankruptcy for a year or so and has found a way to stay afloat and reinvent itself. It's not in the black (pun intended) because it can ship a security patch 30 days after it received it. Security may be BlackBerry's "thing" but as far as resources, Asian phone manufacturers dwarf it. My take is that it does it because it has found a way to streamline the process and not have to spend hundreds (or more) man-hours on the patches. And whether a model sells a million units or 50 million units, you're only writing one patch.

Android 7.1 is on 0.5% of the 1.5 billion+ Android phones that are in use worldwide. The number with the May 2017 patch is likely to be close to this because the only phones that have it are running 7.1. And remember, the company that made your phone has had that patch for at least a month before it was released. Even worse: more phones are running Android 2.3.3 — which was released in 2010 — and no longer see any security updates than are running up-to-date software.

Not everyone wants one of these.

Not everyone wants one of these.

Real talk: there has not been a security apocalypse for mobile devices. Yet. But this is a recipe for one, and it could happen tomorrow. Isn't preventing a massive data breach that affects millions and millions of us better than crossing fingers and hoping it doesn't happen? Not everyone wants a "boring ass" Pixel or a BlackBerry. People want the things a Galaxy S8 or LG G6 give them. One of those things needs to be a little protection against the shitware that very smart people are making and looking for ways to give to everyone.

Security updates need to become a feature along with a great camera and slinky glass body.

Usually, security companies write blog posts to push their products and a specific agenda. While G Data's post may serve to those goals it also highlights the very real and very serious problem of having software that's easy to hack storing your credit card numbers and user passwords.

We wish there was better news here, but as usual, we can only offer the advice to be careful what you install and get all of your apps from Google play. Stay safe.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

72 Comments
  • Quietly, Verizon has become one of the better carriers when it comes to security updates. Also, I don't think things will get significantly better (by significantly better my criteria would be all models, not just flagships, getting security patches at least quarterly for the two-year life of the product) unless there's a catastrophic breach.
  • Absolutely agree. Ignoring it until it happens is silly and a gift to the scammers and malware authors.
  • Seems like you 'd be happy BlackBerry does what they do...
  • I am.
  • I am. My second phone is a BlackBerry and has been for over a year. But they are a great example of a company in rough financial shape yet still able to send monthly updates.
  • I see. I knew about you're other phone. I guess I just misunderstood your wording.
    Thanks for replying.
  • Why are their Android phones like the Priv and DTEK still on Marshmallow then? I guess they don't care enough to actually update the OS to the new version that has even better security enhancements and mitigations like the MediaServer hardening in Android 7.
  • Not sure. But they have every patch for the media server applied and they apply their own hardening which nobody has been able to crack so far.
  • I am still on a Idol 3 with 6.0.1 and a Nov 2016 patch. I just made a cross country move and deaths in the family so a new phone had to take a back burner. I would love to get the new Nokia phone if released in the US as it is a mid ranger I hear they update the phones pretty regularly.
  • Thanks, need more articles to show that patches are value added to a phone. A recent reviewer of the BlackBerry KeyOne mentioned that for $100 Less, you could get another brand to do similar things(LG), but I would rather pay the $100 then deal with the hours of problems and headaches of fraudulent activity.
    If you keep your phone for two years it is like $4 per patch...that is a great software deal!
    Blackberry Android seems to be real value for the long run...
    Thanks for the info, everyone should put some value $$, toward security.
  • The plan is to update all the phones to Nougat after the KEYone launches.
  • ...unless you have a DTEK60, which appears to not even have received April, and it's May now.
  • My Note 4 is on the April security patch. About how much longer will my device receive these monthly patches (it's an unlocked international version)?
  • Google writes the patches to go back to Android 4.4, so it's up to Samsung when they stop support. Hopefully at least through 2017 for you!
  • Even if they note 4 was a Google phone, it would'nt be guaranteed to have updates until the end of the year
  • Then why is the Nexus 5 stuck on October 2016 patch. Shame on Google.
  • Because you get two years of OS updates and three years of security patches.
  • If they are supporting patches back to 4.4, why not put them on their own devices?
  • Don't know, but the policy is clear.
  • I operated a Note 4 on its original release of KitKat for 2 years and had zero issues security wise. Still no issue to date after it was rooted and frozen on a stock Lollipop 5.1.1 ROM. As I posted below security patches are but ONE layer and will not be the only deciding factor how secure your device may be.
  • No, you merely THOUGHT you had zero issues security wise (sic). That means that any security issues you experienced were invisible to you.
  • Security patches are but one layer of security. The lack of them will not lead to any kind of "apocalypse". If that were the case we would've already experienced it with Windows. Because contrary to popular belief not all Windows systems are kept up to date despite security patches beng available. There are even many a Windows XP system still in operation without issue despite zero security patches since Microsoft ended support for the OS in 2014. Yes security patches are important but they are not the be all end all of how secure a device can be. It's not that black and white.
  • We're already at Windows apocalypse. If you're running Windows XP then you've either already been hacked or you're too clueless to realize that you've already been hacked.
  • I highly suggest you read up on defense in depth strategies. See below for a starting point: https://www.us-cert.gov/bsi/articles/knowledge/principles/defense-in-depth
  • So you're saying a Windows XP desktop behind a router or firewall is the same as an always-on device with a cloud-based operating system and direct connections from every client installed?
  • No, but you point out a very good reason why I personally don't trust any mobile OS (not just Android) for anything of sensitive nature. Unlike an old version of Windows XP where I can lock down the OS so nothing runs on it unless I explicitly allow it and where I can put it behind a major layer of security in a hardware firewall, I cannot do the same with a mobile OS. Regardless in either case I stand by my assertion that security patches alone do not dictate how secure a device may be desktop or mobile. In either case they are not a panacea but just one single layer. In the end the MOST important layer is the one behind the keyboard. Because even a fully patched OS can be compromised by actions of the operator. In other words, don't be lulled into a false sense of security just because you're on the latest patch level!
  • Leaving most arguments aside - I would still recommend buying the most secure \ updated phone to any person or business... Leave the others (meaning less updated phones etc.) to strictly play games with or maybe take pictures etc... and leave the personal and professional information \ actions out this type too... It's a common sense issue.
  • Well since I don't have control of the mobile network my smartphone sits on, security updates is the next important thing I need to pay attention to... other than being mindful of what I do on my phone. The thing is with your first comment you came off like security updates are not that important and you don't need to worry about them because there are other layers of security. I'm not sure if that's the way you intended to come off, but if it is then you don't have a true understanding of a "Layered Security Model" and you've probably never managed security for an enterprise environment. Even hardware routers and firewalls should have their IOS/Firmware updated regularly to get security updates.
  • My S7 is on the April security patch, I think every phone I have is still updated for security.
  • User behavior (don't click on unknown links, buy only from the Play Store, etc) also play into security on our devices. Anyone reading AC knows this. But how many "normal" people know, or care, about this? I believe Jerry's point is that manufacturers need to do more. It's inexcusable that they can't release at least quarterly security updates for their products. And why on Earth would anything running 2.3.3 still be active? IMHO, if you're running an outdated, unsupported Android version, the carriers should either block your device from getting on the network. Or else, bear the brunt financially and PR wise if said device is found to be the root cause of a virus/phishing/malware outbreak. Any current devices should be on a supported version of Android. And we end users should accept no less.
  • Dude, you're on drugs. Imagine a day when your six-year-old car doesn't start because it's simply too old. I'm currently using a GS3. Like fuçk am I going to sit idly by while my service provider cuts me off 'cause my phone is "too old."
  • Well said. Besides, the carriers ALREADY bear the brunt financially and PR-wise for phishing/malware outbreaks; it's often THE CARRIERS who refuse to update phones.
  • My Google/Motorola Nexus 6 is on Android 7.0. The last security patch is Jan 5, 2017. Google, when will my phone get the newest OTA updates and security patches?
  • Nexus 6 is all up to date through May 2017 and 7.1.1 (I believe). Here is the link. https://developers.google.com/android/images
  • They sent an OTA to Nexus 6 owners downgrading it to 7.0. Because of an issue with Android Pay, from what I remember. I'm​still using my Nexus 6 as my daily driver and I'm on 7.0 with the April security patch.
  • The Nexus 6 is 7.0 and April, 2017. At least mine. I'm on T-Mobile.
  • My security patch level is from 2016 09 01 how do I get a newer version. Thanks.
    Running LG G5
  • Unlocked or carrier?
  • Unlocked
  • Patiently waiting for the Pixel 2. Hardware is nice - but frequent updates finalizes the deal. It's a package deal - half doesn't work that well for me.
  • Doesn't matter if you have the latest update. Some people are still going to be tech dumb and use public networks, download from unknown sources, click those your phone is infected adds and pay to "fix" it. If you have some tech smarts or common sense you shouldn't worry so much about just having the latest date on your device cause as soon as that patch is released there is already a months worth of more malware thats missed or discovered.
  • Taking your reasoning to its logical conclusion, the solution would be to buy an iPhone.
  • Well, my Moto Z is on January. There is the newer patch out but I'm not updating. I'm not being daft. I tried but it broke the phone. I restored it and had to flash Nougat without updating the bootloader to prevent downgrading should I need to. It's also rooted with a custom kernel so warranty repairs are out of the question, I would love to be updated, but I think now, I would rather have a working phone, especially since everything on it seems to be working really well so far.
  • my V20 is on march, good until they push 7.1
  • Same patch the G6 is on...waiting for 7.1
  • Security patches are a must. Software updates too. No point having new features in android o only to get them next year. Seems like in an ideal world 🌎 we can expect android o to come by Christmas 🎄 to most phones released in these 3 years.
  • It's been a long time since any Android version came to "most" (over 50% of) phones. Some phones do get upgraded to a versions but plenty more either don't or leapfrog it.
  • it's just very sad. maybe 2017 or 2018 we finally can get universal update to recent phones
  • My Sprint HTC 10 is on Android 7.0 with March 2017 security patch. No problems after about a year of 'extremely heavy' use, fast and responsive. Battery seems to have lost about 10% of capacity. HTC also updates their Sense User Interface and features on a regular basis.
  • This whole reason is why i'm sticking with my Pixel (not to mention the stunning camera). Android 7.1.2 and May 17 security patch - and this level of updating and security will continue through to 2018 (with security patches beyond that). On a side note, from experience I found LG to be truly horrendous with updates
  • I just received the March security patch for my G4 a couple weeks ago. Doesn't seem more horrible than any other. I, too, am seriously considering moving to a Pixel if and when i eventually upgrade. I just don't think the problem is a specific manufacturer as much as it is the market value of security and updates. Companies don't look to a losing competitor for strategy. Android is the most successful, Samsung is the most successful at Android. I'd tend to think competitors are looking at Samsung. When the biggest manufacturer/seller of Android devices doesn't see any particular need to support or update devices, that absolutely has to tell them that the market doesn't really value either one.
  • Samsung DOES issue the monthly patch, for as long as Google, at least on their higher end models.
  • nice
  • Is it possible to manually install the security patches
  • That is the main reason I am still using Nexus 6.
    I always update the phone as soon as the patch is out.
    I am waiting for the next Pixel XL for replacement.
  • Nexus owners shouldn't have to manually install updates. That was one of the main reasons for buying a Google product - to get timely OTA updates and security patches. But with the Nexus 6 Google has failed on that promise and I will not buy another Google product.
  • Unfortunately, it's impossible to fully address this issue due to the fact that Android is open source. Google also wouldn't dare try forcing any sort of update compliance requirement onto OEMs because they'd have antitrust investigators beating their doors down. That said, carriers need to get out of the way when it comes to the update process.
  • If an OEM doesn't work on a security update, there's nothing for a carrier to get in the way of.
  • Having to deal with carriers is most likely the reason OEMs don't provide updates as often and as timely as we'd like​.
  • I'd just like to point out that the US carrier Samsung Galaxy S7s have been ahead of the unlocked US Galaxy S7. Also, what security update cadence do non-carrier brands like Honor and OnePlus use? Monthly?
  • 100%. All we can do is demand that the companies making billions in profit spend some of it to provide a little customer care here.
  • Out of context but about security -
    How come Google doesn't provide (at least for Pixels) activation protection for lost and stolen devices like Apple does with iPhones?
  • There is reset protection on Android AFAIK.
  • Yeah you can do that but after the factory reset is performed that lost or stolen phone can be used as a new device. And for those who know how to retrieve erased data they will have no obstacles in doing so.
    When you black list your iPhone in Apple cloud , no matter what's done with it (ppl usually manually do FDR in recovery) once it's turned back on , it's useless without your credentials. It's all tied to the IMEI of the phone, so you can't work around it. All you can do is buy another mother board.
    Apple really nailed it and it comes to protecting its customers property.
    I wish Google did the same thing.
  • "Real talk: there has not been a security apocalypse for mobile devices." With millions of devices using "outdated" security why would you say that is? I have a Note 4 running a KitKat custom ROM and an S8+ running stock Nougat. I don't feel any less secure on my Note than I do on my S8+. Am I less secure on it? Probably. Will it affect me in any real way? Maybe. I might get hit by lightning on this sunny day too but I'm going to the park to play some ball with my friends anyway.
  • And if you see something sketchy you know better than to install/sign in. Does your mom? Mine might call me and ask or might just do it because a friend did and said it was great.
  • Along these lines, it would be nice if the Android sites (including Android Central) stopped ignoring security updates as part of the process of reviewing new Android devices. If a device comes from a manufacturer with a poor history of security patch updates, this should be noted and figure into the overall score for the review. So please, Android Central, put your money where your mouth is.
  • What's all this rubbish about BlackBerry. I have a Dtek60 and my latest patch is March 5.
  • There are some fairly serious problems with the lack of updates, however this whole discussion fails to mention several things... 1. Google play services *does* update many core services even on old android versions and this enhances security a lot for all android versions
    2. Google routinely and heavily scan apps on the play store, so if you use apps from there, or a reputable place like F-droid, your security risks drop dramatically. These two measures alone are going to mitigate a lot of stuff, so the completely bleak picture the author painted is really not as bad as it might seem. But, yes, work is needed on the process.
  • I haven't experienced any security issues, but I'm a tad more concerned after recently reading about malicious apps in the Google Play Store and the Google Docs email phishing scam.
  • Got the May patch this morning, at last.
  • Android doesn’t need an app store any more than Windows does. People survived on a Windows just fine for decades downloading files and programs from their internet browsers. Why do smartphones have to be so locked down in comparison?