A number of high-severity cyber-vulnerabilities have been uncovered in the Android platform recently, not the least of which is the Stagefright bug, which affects a majority of Android phones. But how safe is the platform, really? Perhaps safer than the headlines would seem to reflect.

The issue with Android is that it’s popular and widely deployed. So, as an attack surface, it’s a bit of a can’t-miss target for cybercriminals in some ways. Software vulnerabilities open up that target surface immensely for hackers, as is the case with Stagefright. But users who follow safety best practices (like not downloading dodgy apps from outside Google Play) should take the security headlines in stride.

Stagefright—Why It’s Scary

Stagefright is a security hole in the Android OS that affects greater than 50 percent of all Android devices. That means that about 950 million business users and consumers could be targeted by hackers who can take over a device, harvest all relevant information and install malware for future nefarious ends. To get there, attackers need only to send a specific kind of MMS to the phone; the user doesn’t even have to open the message in order to be compromised. 

Needless to say, this was a pretty big story in the security world.

Adding insult to injury, there are also two additional methods for criminals to gain complete control of a device: They can be infected using malicious video files that auto-play when opening a website. Once the video has played, attackers can bypass the disabling of auto-play videos in Chrome and gain complete control of the device.

And, malicious apps or MP4 files can also be built to exploit the vulnerability. Once they are downloaded and opened, attackers can take over.

Adrian Ludwig, head of Android Security at Google, noted in a talk at Black Hat 2015 last week that Nexus devices, including versions 4-7, 9, 10 and Nexus Player, are now receiving OTA updates for Stagefright.

He called it “the single largest unified software update the world has ever seen—hundreds of thousands of devices are to be updated in the next couple of days.”

One small problem: the patch doesn’t work. Oops.

Exodus Intelligence found that one of the patches sent to and accepted by Google could be bypassed by a specially-crafted MP4 file.

“In summary, the Stagefright disclosure process was an interesting one to observe. The (un)surprising outcome being that given all the exposure this vulnerability received combined with essentially infinite resources on the vendor side, effective security mitigations were still not deployed,” Exodus researchers said in a blog. “Google employs a tremendously large security staff, so much so that many members dedicate time to audit other vendor’s software and hold them accountable to provide a code fix within a deadline period.”

A Google statement claimed the firm has taken care of the issue and will update Nexus devices in an over-the-air fix as part of its monthly patch round in September.

Yet More Vulns

Stagefright was a big deal, but far from the only high-profile security issue affecting Android of late. In fact the latest issue was made public this week, affecting more than 55 percent of Android devices. These vulnerabilities, both on the Android platform itself and in third-party Android software development kits (SDKs,) can be exploited by expert hackers to give a malicious app with no privileges the ability to gain unauthorized access to information and other functionalities on the device, according to IBM’s X-Force security division.

The vulnerabilities center on the Android platform OpenSSLX509Certificate class, which is one of many classes developers leverage to add functionality to apps such as network access and the phone’s camera. By introducing malware into the communication channel between the apps and phone functionalities, attackers are able to take over an application on a user’s device and perform actions on behalf of the victim. (i.e. take photos, share content, send messages, etc.—depending on the app). They can also replace real apps with fake ones filled with malware that can collect personal information. (i.e. they could replace Facebook with a fake version that collects victim information on the social network).

Attackers can also steal sensitive information from the attacked app, like login details.

“Our team titled the paper ‘One Class to Rule Them All,’ since the single vulnerable class that we found in the Android platform, OpenSSLX509Certificate, was enough to take over the device using our attack technique,” researchers said in the report. “Developers take advantage of classes within the Android platform and SDKs. These classes provide functionality for apps — for example, accessing the network or the phone’s camera. The vulnerability we found can be exploited by malware through the communication channel that takes place between apps or services. As the information is broken down and put back together, malicious code is inserted into this stream, exploits the vulnerability at the other end and then owns the device.”

Google as well as the vulnerable SDKs have been patched, however, users are often slow to apply them unless they’re pushed in an OTA update—meaning that these and other vulnerabilities often linger out there for months if not years.

Google: Security by Design

Much has been made of Google’s open-source approach to Android and the resulting security issues. Unlike Apple, which vertically integrates the hardware and software stack with strict parameters for use and development, Google throws open the Android OS for coding by third parties in a much less controlled fashion.

Each handset-maker has the latitude to tweak the software for their devices, which is why the Samsung Galaxy experience is so different from, say, the Kindle Fire, even though both run on Android. Google also leaves it up to individual device-makers to decide their policy on “rooting” (the equivalent of jailbreaking), and has had little involvement when it comes to regulating any rogue app stores—of which there are many. As a result, innovation has accelerated—but malware authors have seen a fertile field to sow their seeds of data theft and illegal revenue generation.

That said, Google’s open model for development means that there are millions of lines of source code that are available to anyone to review. There are thousands of devices and hundreds of OEMs that participate in the Android ecosystem—all with often extensive customization at the software level.

The Internet giant sees this openness and diversity as being critical for the platform and for security.

“When I look at Android and I ask, where is the innovation coming from? The answer is everywhere. And that’s one of the things that makes Android resilient,” said Ludwig in his Black Hat talk.

Application isolation is at the core of the platform, so that security solutions are built on a device-by-device basis, and service-by-service. Layered on top of that is a uniform set of Google security services that are available on every device—like safe browsing for Chrome, and the verify apps function, which asks users for confirmation that they’re going to install an app, along with an “unknown source” warning if that app is from a third-party outside of Google Play.

And as for Google Play itself, it’s more than an app store, Ludwig explained. “This is a mechanism for us to identify and prevent bad apps.” Google gathers information on apps, developers, app behavior and relationships, and runs it through analysis every day.

“Previous ecosystems had very few checks in the platform to check the code running through devices,” Ludwig said. “We have checks in all kinds of arenas.”  

That includes runtime security checks, sandboxes and permissions. And on the applications analysis front, Google scans signatures, static code and dynamic behavior with the Safety Net mechanism. It also alerts developers when it finds an issue.

“Much of the emphasis is on finding the next generation of known issues—so we look for similarities in the app development itself, or code that we can tell is related to bad behavior,” Ludwig explained. “Then we combine that with the data that’s being collected on devices.”

Safety Net scans 150 million to 200 million devices per day; Ludwig said that on average, it finds about 200 and 600 devices that have a compromised Google.com certificate.

Google also has a bug bounty program, and at Black Hat the Web giant also announced that it would be doing monthly security updates.

“We’ve been sending security bulletins to partners for three years on a monthly basis,” Ludwig said. “We haven’t been talking about it, and we need more transparency about how we’re providing those things. We looked at the events of the last few days and weeks and realized that we need to move faster and tell people what we’re doing, both immediately and on an ongoing basis.”

Rates of Infection

So how safe is the Android platform, really? The answer is, fairly safe. Just because a vulnerability exists doesn’t mean that the bad guys have created an exploit for it. And malware infection rates are lower than you might think.

Third-party analysis found that Android malware logged a 391 percent increase in 2014. The Pulse Secure Mobile Threat Center found that nearly one million (931,620) unique malicious applications were produced last year as criminals look to boost profits amid an escalating number of devices. The firm logged 1,268 known families of Android malware, which is an increase of 464 from 2013 and 1,030 from 2012.

Android-targeted baddies now account for 97 percent of the mobile malware threatscape. And capability-wise, there’s a common theme: the ability to take profit from an end user with SMS premium services or malicious ad networks is found in all of the top 10 malware threats identified in 2014.

And in fact, 460 of the top 500 Android applications create a security or privacy risk when downloaded to Android devices, according to recent research from MetaIntelli.

Yet, despite those statistics, the overall malware instances inside Android remain low.

“In general over the last 6 months, we see that around a half of one percent of Android devices have a potentially harmful application installed,” Ludwig said. “[And] we have no expectation in an ecosystem the size of Android that the number will ever be zero.”

Devices with unknown sources disabled have about a .15 percent instance of malware installed; that number borders around 1 percent for those that install apps from unknown sources, a common practice in China, for instance.

User preference for rooting their devices and the downloading of apps from outside Google Play will always open the door to a certain extent to unsafe practices. “Zero is really not the goal,” Ludwig said. “It’s both unrealistic and not the best way to manage the ecosystem. People want to do what they want to do. So is rooting good or bad? It’s both good and it’s bad. Freedom of the individual is important, but explains the tension between choice and security. Nexus is unlockable for instance, so those that want flexibility can have it. We think that’s critical.”