14 DAY TRIAL // Despite many threats to its integrity, Android is a pretty safe mobile software. That’s the conclusion we can reach after the talk Adrian Ludwig, Android security director, gave at the RSA conference in San Francisco.
One of the topics he addressed during the conference was the massive Stagefright hole, which at the time pushed the company to issue security patches on a monthly basis. He said Stagefright did not cause any “confirmed” infections, despite putting 95% of Android devices at risk of attack, The Register reports.
The vulnerability affecting many versions of Android software allowed the attackers to perform operations on the victim’s device through remote code execution and via privilege escalation. By applying countless patches, the vulnerabilities became unexploitable.
Before Stagefright, there was the MasterKey vulnerability, in which case 99% of Android devices were vulnerable. The peak of that infection, however, saw eight infections per million users. Similarly, the FakeID flaw affected 82% of users, but there was only one infection per million users at its peak.
Safe, but not immune
The figures he used for his calculations cover devices that come with Google Play services, which is available on 1.4 billion Android devices. The numbers do not, however, include devices that don’t feature the Google Play services installed, such as the Amazon Android-based handhelds or the ones sold in China.
“Most of the abuse we get isn’t interesting from a security perspective. We see spamming ads for fake antivirus stuff, but it’s really basic social engineering. Even if malware is installed it seldom involved privilege escalation, it primarily just downloads other apps,” Ludwig said, admitting that there isn’t any big bogeyman out there in the form of malware infecting Android devices.
That's not to say, of course, that there aren't any present. In fact, there are plenty of malware targeting Android devices, but infection rates are rather low because most users don’t allow installation of apps outside the Google Play store, which is where the risks come from most often.