If patching and security updates are the soul of device security, then mobile users are in a world of hurt. Research from Skycure has revealed that 71% of mobile devices still run on security patches that are more than two months old, in part because the carriers are slow to make them available to users.
The firm’s fourth-quarter report analyzed the patch updates among the five leading wireless carriers in the United States. It found that more than one-third of devices had patches more than three months old, and a small percentage of end users are in really bad shape: About 6% of devices run patches that are six or more months old.
This is in line with Google’s own new report on Android security, which noted that about half of the 1.4 billion Android devices in use globally by the end of last year didn’t install a single security update in all of 2016.
Given the rate of vulnerabilities discovered in mobile devices, unpatched handsets are susceptible to a myriad of attacks, including rapidly rising network attacks and new malware. Skycure pointed out that a huge number of Android vulnerabilities were identified in 2016, rising to more than four times the number in 2015. Almost half of those vulnerabilities allowed excessive privileges, while others allowed leakage of information, corrupted memory or arbitrary code execution.
“Malware, network attacks and advanced exploitation campaigns many times depend on unpatched vulnerabilities to be successful,” said Yair Amit, co-founder and CTO of Skycure. “It’s essential that users and companies know the moment that a device is able to remove these risks to reduce the window of vulnerability.”
Because carriers must make Android patches available to their users before they can patch their devices, Skycure analyzed devices on AT&T, MetroPCS, Sprint, T-Mobile and Verizon to determine the age distribution of security patches. According to the report, the most recent security patch released by Google for Android has only been adopted by a very small percentage of the devices—and, AT&T users were up to 10 times more likely to have this latest patch installed.
Among the five major US carriers, MetroPCS had the highest percentage of devices with patches more than three months old, making their devices the most susceptible to attack. Google releases Android security patches every month, meaning these are at least three patches behind.
The most common types of mobile malware are adware, hidden apps, potentially unwanted apps, riskware, spywar, and trojans. The number of these common types of malware grew by more than 500% from Q1 to Q4 of 2016, the report noted; and among the common types of malware, hidden apps ended the year with the fastest growth in 2016.
Skycure also tracked trends in network incidents over 2016. To highlight the rise in risk of network attack for mobile devices, Skycure analyzed network incidents in the major technology centers of the US over the course of the year. The report found that Boston had the greatest increase in incidents throughout the year, reaching nearly 11 times the number of incidents from the first to fourth quarter, followed by Chicago, Raleigh-Durham and Washington DC. Overall, the volume of incidents rose dramatically from the first quarter to the fourth quarter of 2016, ending Q4 with more than three times the number of incidents of Q1.