Google: Newer Android Versions Are Less Affected By Malware
Google is finally seeing tangible results after dedicating itself to improving Android's security in the past few years.
According to new statistics the company released today, percentage-wise devices running newer Android versions have been infected in much fewer numbers than devices running older OS releases.
For example, the percentage of Android devices that contain at least one potentially harmful application (PHA) --the term Google uses for Android malware-- is above the 0.5 percent figure for Android devices running KitKat (4.x), Lollipop (5.x), and Marshmallow (6.x), but it's way smaller for newer OS versions.
Google reports that 0.25 percent of all Android Nougat (7.x) devices contain at least one PHA, while the percentage for Oreo (8.x) and Pie (9.x) is even smaller, with 0.14 percent and 0.06 percent, respectively.
"We attribute this to many factors, such as continued platform and API hardening, ongoing security updates and app security and developer training to reduce apps' access to sensitive data," said the Android Security & Privacy Team in a blog post today.
"In particular, newer Android versions--such as Nougat, Oreo, and Pie--are more resilient to privilege escalation attacks that had previously allowed PHAs to gain persistence on devices and protect themselves against removal attempts."
But even in the case when users are running older Android versions, they can still be safe. The trick, according to Google, is users restrict themselves to installing apps only made available through the official Play Store.
Google says that users who installed apps only from the Play Store have been infected by PHAs in much fewer numbers compared to the percentage of users who also installed apps from unofficial third-party stores or other locations -through a process called side-loading.
Google says that the PHA infection rate for "Google Play only" users is 0.09 percent, while the same figure is 0.61 percent for users who also sideloaded apps.
Sure, the Play Store isn't perfect and you can still install a malicious app once in a while, but Google says that "Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources."
As for where most of the infected users are located, the top countries are Indonesia, India, the US, Russia, and Japan. The good news is that as Google rolled out new Android versions in recent years, a visible downward trend has been observed in infection numbers compared to the previous years.
Google published these statistics today as part of a new Android Ecosystem Security Report, a new section that the company added to its Transparency Report portal.
The Android OS maker promised more detailed stats and a deeper dive into the Android ecosystem in the 2018 Android Security Year in Review, a yearly report that's scheduled for release in the first quarter of 2019.
In the meantime, Google published "Android Enterprise Security," a white paper detailing the new enterprise-centric security features that have been added to Android after Pie's release in August.
Any Project Treble-supported device should be able to run a clean Generic System Image (or GSI) of a basic AOSP build. That’s the magic of Treble: all the supporting bits and customizations are separated from the GSI. This gave rise to enthusiasts being able to flash stock builds on skinned devices with (relative) ease.
However, it could also lead to testing Android versions early. Last year we got a treat; Google released the Android P Developer Previews for more than just Pixel and Nexus devices. This allowed certain phones to run the preview and give Google feedback.
With Treble being fairly common now, future test versions of Android could be released as GSIs rather than full builds. This would allow anyone with a Treble-supported device to give it a try. This would not guarantee perfect compatibility or usability, and wouldn’t be focused towards developers, but it would still give enthusiasts a nice treat while also gaining some important feedback. A Google Project Treble team member named Hung-ying Tyan had this to say at the Android Dev Summit:
“GSI is the central piece in Treble compliance. We feel that it has a lot more potential than that. We set out a goal to make GSI be more accessible and useful, not just for device makers but also the general public including app developers like you and even consumers. An important first step toward that goal is to make GSI available in AOSP. So for this, we have published pie-gsi in AOSP*. So now you can download and build pie-gsi today. We are also exploring ways to make future GSI available earlier than the release of next Android version. So you will be able to try out next Android version earlier over GSI. And at the same time we can also get early feedback from you, so the benefit is mutual. So please stay tuned for our further announcement on this.”
This isn’t an official announcement of test GSIs being released next year, but it is nice to see Google thinking about the rest of us. Hopefully this will come to fruition by the time Android Q is ready!
According to new statistics the company released today, percentage-wise devices running newer Android versions have been infected in much fewer numbers than devices running older OS releases.
For example, the percentage of Android devices that contain at least one potentially harmful application (PHA) --the term Google uses for Android malware-- is above the 0.5 percent figure for Android devices running KitKat (4.x), Lollipop (5.x), and Marshmallow (6.x), but it's way smaller for newer OS versions.
Google reports that 0.25 percent of all Android Nougat (7.x) devices contain at least one PHA, while the percentage for Oreo (8.x) and Pie (9.x) is even smaller, with 0.14 percent and 0.06 percent, respectively.
"We attribute this to many factors, such as continued platform and API hardening, ongoing security updates and app security and developer training to reduce apps' access to sensitive data," said the Android Security & Privacy Team in a blog post today.
"In particular, newer Android versions--such as Nougat, Oreo, and Pie--are more resilient to privilege escalation attacks that had previously allowed PHAs to gain persistence on devices and protect themselves against removal attempts."
But even in the case when users are running older Android versions, they can still be safe. The trick, according to Google, is users restrict themselves to installing apps only made available through the official Play Store.
Google says that users who installed apps only from the Play Store have been infected by PHAs in much fewer numbers compared to the percentage of users who also installed apps from unofficial third-party stores or other locations -through a process called side-loading.
Google says that the PHA infection rate for "Google Play only" users is 0.09 percent, while the same figure is 0.61 percent for users who also sideloaded apps.
Sure, the Play Store isn't perfect and you can still install a malicious app once in a while, but Google says that "Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources."
As for where most of the infected users are located, the top countries are Indonesia, India, the US, Russia, and Japan. The good news is that as Google rolled out new Android versions in recent years, a visible downward trend has been observed in infection numbers compared to the previous years.
Google published these statistics today as part of a new Android Ecosystem Security Report, a new section that the company added to its Transparency Report portal.
The Android OS maker promised more detailed stats and a deeper dive into the Android ecosystem in the 2018 Android Security Year in Review, a yearly report that's scheduled for release in the first quarter of 2019.
In the meantime, Google published "Android Enterprise Security," a white paper detailing the new enterprise-centric security features that have been added to Android after Pie's release in August.
Related Coverage:
Google May Allow Users To Test Future Android Versions On Any Treble-supported DeviceAny Project Treble-supported device should be able to run a clean Generic System Image (or GSI) of a basic AOSP build. That’s the magic of Treble: all the supporting bits and customizations are separated from the GSI. This gave rise to enthusiasts being able to flash stock builds on skinned devices with (relative) ease.
However, it could also lead to testing Android versions early. Last year we got a treat; Google released the Android P Developer Previews for more than just Pixel and Nexus devices. This allowed certain phones to run the preview and give Google feedback.
With Treble being fairly common now, future test versions of Android could be released as GSIs rather than full builds. This would allow anyone with a Treble-supported device to give it a try. This would not guarantee perfect compatibility or usability, and wouldn’t be focused towards developers, but it would still give enthusiasts a nice treat while also gaining some important feedback. A Google Project Treble team member named Hung-ying Tyan had this to say at the Android Dev Summit:
“GSI is the central piece in Treble compliance. We feel that it has a lot more potential than that. We set out a goal to make GSI be more accessible and useful, not just for device makers but also the general public including app developers like you and even consumers. An important first step toward that goal is to make GSI available in AOSP. So for this, we have published pie-gsi in AOSP*. So now you can download and build pie-gsi today. We are also exploring ways to make future GSI available earlier than the release of next Android version. So you will be able to try out next Android version earlier over GSI. And at the same time we can also get early feedback from you, so the benefit is mutual. So please stay tuned for our further announcement on this.”
This isn’t an official announcement of test GSIs being released next year, but it is nice to see Google thinking about the rest of us. Hopefully this will come to fruition by the time Android Q is ready!
Comments
Post a Comment