Why you should care about Android malware and the importance of security patches

Android dudes
Android dudes (Image credit: Jerry Hildenbrand / Android Central)

When you're king of the hill you are a target for everyone and everything. Sometimes that's great — LG's G6 is an awesome phone that wants to compete with the Galaxy S8 because the GS8 will be the king of the Android hill. Other times it's not, and security company G Data takes a look at one of those not-so-great times.

When you're on top you are a target.

Android's market dominance means it is the main target for people writing malware. Just like Windows for your PC, the fact that more than 70% of smartphone users worldwide use Android means it's where you want to focus if you're trying to steal user data. There is certainly malware for iOS, and probably Windows 10 Mobile, but to increase the odds, Android is the target.

G Data forecasts that it will see 3.5 million cases of malware for Android in 2017. A look at the numbers since 2012 shows that it's not making an outrageous claim, either.

Image courtesy G Data.

Image courtesy G Data.

There's a reason why malware is successful with Android, and it's one that still hasn't been addressed: most phones are using old software and haven't been patched against it.

Google does a lot of work to make Android secure and keep it that way. It pays people to find security exploits, works with hardware vendors like Qualcomm or NVIDIA to fix them if needed, then writes a patch that can be injected into the existing version with no fuss. If you have a Pixel or Nexus or BlackBerry product, you'll then get these patches. If you have any other phone you roll the dice and hope the people who made it care enough.

More Androids run Gingerbread (2010) than run the current version.

Forget about the Pixel or a Nexus for a minute. They have to be updated because there is no way Google can say that these updates are really important if they aren't. Google may be silly sometimes, but not that silly. But BlackBerry? It's hard for me to imagine any scenario where you can set the bar lower than using BlackBerry as the example.

BlackBerry (the software company from Canada) is a company that operated a month away from bankruptcy for a year or so and has found a way to stay afloat and reinvent itself. It's not in the black (pun intended) because it can ship a security patch 30 days after it received it. Security may be BlackBerry's "thing" but as far as resources, Asian phone manufacturers dwarf it. My take is that it does it because it has found a way to streamline the process and not have to spend hundreds (or more) man-hours on the patches. And whether a model sells a million units or 50 million units, you're only writing one patch.

Android 7.1 is on 0.5% of the 1.5 billion+ Android phones that are in use worldwide. The number with the May 2017 patch is likely to be close to this because the only phones that have it are running 7.1. And remember, the company that made your phone has had that patch for at least a month before it was released. Even worse: more phones are running Android 2.3.3 — which was released in 2010 — and no longer see any security updates than are running up-to-date software.

Not everyone wants one of these.

Not everyone wants one of these.

Real talk: there has not been a security apocalypse for mobile devices. Yet. But this is a recipe for one, and it could happen tomorrow. Isn't preventing a massive data breach that affects millions and millions of us better than crossing fingers and hoping it doesn't happen? Not everyone wants a "boring ass" Pixel or a BlackBerry. People want the things a Galaxy S8 or LG G6 give them. One of those things needs to be a little protection against the shitware that very smart people are making and looking for ways to give to everyone.

Security updates need to become a feature along with a great camera and slinky glass body.

Usually, security companies write blog posts to push their products and a specific agenda. While G Data's post may serve to those goals it also highlights the very real and very serious problem of having software that's easy to hack storing your credit card numbers and user passwords.

We wish there was better news here, but as usual, we can only offer the advice to be careful what you install and get all of your apps from Google play. Stay safe.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.