In a recent blog post, Duo Security CTO Jon Oberheide announced that, according to initial results from the company's X-Ray app for Android devices, "over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary."
"The research firm called the statistic a 'scary number,' and said it underscores both how critically important expedient patching is to mobile security, and 'how poorly the industry (carriers, device manufacturers, etc) has performed thus far,'" writes HotHardware's Paul Lilly. "What's more, Duo Security says its figure represents a conservative estimate."
"X-Ray is Duo’s mobile app that performs 'vulnerability assessment' on Android devices," Oberheide explained. "Instead of scanning for malicious apps installed on the device like a mobile antivirus app would do (a nearly-intractable problem), X-Ray can identify known, yet unpatched, vulnerabilities in the mobile platform itself that could be exploited to take full control of users’ phones. As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users’ mobile devices often remain vulnerable for months and even years."
"Android has the largest market share of any mobile platform and attackers have been targeting the OS with malicious apps, exploits for known vulnerabilities and other attacks for several years now," writes Threatpost's Dennis Fisher. "Unlike Apple, which releases new versions of iOS on a fairly regular basis and pushes them to all users, regardless of carrier, at the same time, each carrier that sells Android phones is responsible for getting updates to its own users. Users, of course, have the option of ignoring the updates, which would leave them vulnerable to any flaws that had been patched in a new release."
"The research from Duo Security squares with a study conducted last year by Bit9, which painstakingly calculated -- since much of the related data was not easily accessible -- how long it took carriers to issue updates for the top 20 smartphones on the market," writes Informationweek's Mathew J. Schwartz. "Ultimately, it found that only outdated and insecure versions of the Android operating system were available for 56 percent of the top 20 smartphones, owing to carriers and manufacturers failing to issue timely updates."