One billion Android devices at risk of hacking

[Guest]

Interesting one this as I was quite surprised by just how many older phones are still in use. On the plus side this highlights the green credentials of removable batteries. On the down side it goes to show not everyone can afford or wants to get on the upgrade cycle.

 

https://www.bbc.co.uk/news/technology-51751950

 

Quote

More than a billion Android devices are at risk of being hacked because they are no longer protected by security updates, watchdog Which? has suggested.

The vulnerability could leave users around the world exposed to the danger of data theft, ransom demands and other malware attacks.

Anyone using an Android phone released in 2012 or earlier should be especially concerned, it said.

Which? says it was not reassured by Google's response.

And the tech giant has not responded to BBC requests for a comment.

Google's own data suggests that 42.1% of Android users worldwide are on version 6.0 of its operating system or below.

According to the Android security bulletin, there were no security patches issued for the Android system in 2019 for versions below 7.0.

Quite a staggering statistic that 42.1% of android users are on version 6 or below.

 

Quote

Extrapolating this data, Which? concluded that two in five Android users worldwide were no longer receiving security updates.

It then tested five phones:

• a Motorola X
• a Samsung Galaxy A5
• a Sony Xperia Z2
• an LG/Google Nexus 5
• a Samsung Galaxy S6

Which? asked anti-virus lab AV Comparatives to infect them with malware - and it succeeded on every phone, creating multiple infections on some.

It said it shared its findings with Google but the tech giant "failed to provide reassurance that it has plans in place to help users whose devices were no longer supported".

The watchdog wants Google and others to provide far more transparency around how long updates for smart devices will be provided.

And it said the mobile industry needed to do a better job of giving support to customers about their options once security updates are no longer available.

I agree, the mobile industry need to have a good think about supporting those who have spent their hard earned with them.

Quote

Kate Bevan, Which? Computing editor, said: "It's very concerning that expensive Android devices have such a short shelf life before they lose security support, leaving millions of users at risk of serious consequences if they fall victim to hackers.

"Google and phone manufacturers need to be upfront about security updates - with clear information about how long they will last and what customers should do when they run out.

"The government must also push ahead with planned legislation to ensure manufacturers are far more transparent about security updates for smart devices - and their impact on consumers."

I agree here too. Phones are expensive items for many, and the short life forced upon them through lack of security updates needs to be addressed. Having said that, I wonder just how many of these devices are actually at risk. I often see here in the UK for example older android devices used as little more than an emergency phone by older people. These users do nothing on them but top up their pay as you go airtime occasionally and only use the devices as phones. They are at very low risk, and I do wonder just how many of these older devices are used like that. We do not hear of mass targeting of these devices but maybe they are just not published.  It will be interesting how planned legislation affects the update cycles of both IOS and Android. I also wonder just how many people will see this story worry about their old device.

 

Quote

How to check whether your phone is vulnerable and what to do

  Image captionThe Samsung Galaxy S6 came out in 2015

• If your Android device is more than two years old, check whether it can be updated to a newer version of the operating system. If you are on an earlier version than Android 7.0 Nougat, try to update via Settings> System>Advanced System update
• If you can't update, your phone could be at risk of being hacked, especially if you are running a version of Android 4 or lower. If this is the case be careful about downloading apps outside the Google Play store
• Also be wary of suspicious SMS or MMS messages
• Back up data in at least two places (a hard drive and a cloud service)
• Install a mobile anti-virus via an app, but bear in mind that the choice is limited for older phones

Right, OK, I am sure my 80yr old relative understands that fully. LOL. Fortunatey while he has one of these older devices, it only gets switched on to check it is still working and his pay as you go credit still exists. 

[TVwazhere]

This is like saying 30% of windows users are at risk of being hacked..... Because they're still using Windows 7. It should be fairly plain to most people that if you're not getting security updates, you're eventually going to be vulnerable to some new attack. 

 

(I'm not saying there's anything wrong with Win 7 or Android 6 and below, it's just....... Not surprising)

[Guest]

5 minutes ago, TVwazhere said:

This is like saying 30% of windows users are at risk of being hacked..... Because they're still using Windows 7. It should be fairly plain to most people that if you're not getting security updates, you're eventually going to be vulnerable to some new attack. 

 

(I'm not saying there's anything wrong with Win 7 or Android 6 and below, it's just....... Not surprising)

I wonder how many people are just not aware they have to update their devices. I am quite sure there is a generation who would never even consider it.

[Tan3l6]

Ha!

 

I use Xiaomi.

You cant mug that's mugged already!

[Sir0Tek]

1 minute ago, Phill104 said:

I wonder how many people are just not aware they have to update their devices. I am quite sure there is a generation who would never even consider it.

It is not that they do not update their devices, it is that they can't update them any longer.

For Windows7 it is relatively simple for most people; just slap Win10 onto it. For Android-devices it is not that simple, they would have to ditch the old one and buy a new one.

[Guest]

1 minute ago, Sir0Tek said:

It is not that they do not update their devices, it is that they can't update them any longer.

For Windows7 it is relatively simple for most people; just slap Win10 onto it. For Android-devices it is not that simple, they would have to ditch the old one and buy a new one.

I am aware of that. What I was talking about was the number of people that were used to devices you never needed to update who probably do not realise you have to. Thinking here of my grandparents who thought touch button home phones were some black art voodoo.

[straight_stewie]

10 minutes ago, Phill104 said:

On the down side it goes to show not everyone can afford

Finally someone says it. Who can afford to pay $1000 for a literal glass sandwich that will shatter if you drop it from pocket height onto the worlds softest pillow?

I mean, forget about infosec for a second, where's the physec?

[Tristerin]

I identify as a User using a 2012 Android device.  And I am unconcerned about it being hacked to capture the 8 or so pictures I can keep on its minuscule storage, or reap the data that is my browsing history I forgot to clear from Xvideos.  

 

The real concern I would have, if it wasn't already happening, is tracking my phones whereabouts in general to see my daily habits. 

 

What I DO enjoy?  $25 flat rate grandfathered in billing a month with 300 minutes, unlimited text and unlimited 3g.  Totally worth the vulnerabilities I may face.

[RejZoR]

22 minutes ago, TVwazhere said:

This is like saying 30% of windows users are at risk of being hacked..... Because they're still using Windows 7. It should be fairly plain to most people that if you're not getting security updates, you're eventually going to be vulnerable to some new attack. 

 

(I'm not saying there's anything wrong with Win 7 or Android 6 and below, it's just....... Not surprising)

Given how many devices are just stuck on old Android versions because of how crappy whole Android updating is, I'm not even surprised. With Windows, everyone had an option to upgrade to Win10 for free, so there are just no excuses. Or you can go with Linux if all you need is basic functionality and option of always being up to date with no cost. With Android, even if you want to, you just can't update because there aren't updates coz vendors simply don't offer them. You need to buy a new expensive device. Which is just unacceptable. It's one of reasons why I ditched Android devices and went with iPhone. And it really is as good as it sounded like. Pretty much guaranteed updates for 5+ years with updates released on exact day they announce the release. If Android had that, I'd even look past stupid anti privacy Google ecosystem. But it's nothing like it. Getting updates on Android is pretty much gambling.

[Sir0Tek]

 

10 minutes ago, RejZoR said:

<snip>

With Windows, everyone had an option to upgrade to Win10 for free, so there are just no excuses. Or you can go with Linux if all you need is basic functionality and option of always being up to date with no cost.

<snip>

No, not all devices that came with Win7 are able to upgrade into Win10 (issues and/or unusable, extremely sluggish) or would satisfyingly run Linux on it. Yes, they're old, yes they use some special hardware (Thanks, Intel...) but technically they could still be used.

[.Apex.]

55 minutes ago, Phill104 said:

Interesting one this as I was quite surprised by just how many older phones are still in use. On the plus side this highlights the green credentials of removable batteries. On the down side it goes to show not everyone can afford or wants to get on the upgrade cycle.

It's about how long Android phones are supported, the majority of them are only supported for 2 years at most and to make it worse security patches take ~6 months on average to be available on your device if at all, that's why there's that high 1 Billion number when the active android users are 2.5 Billion, and I bet it's even higher than that if they consider the delay it takes for an android phone to get a security patch, even if it's eligible for it eventually.

[EarthWormJM2]

43 minutes ago, straight_stewie said:

Finally someone says it. Who can afford to pay $1000 for a literal glass sandwich that will shatter if you drop it from pocket height onto the worlds softest pillow?

I mean, forget about infosec for a second, where's the physec?

...you are aware that there are a TON of phones out there for only a few hundred $$ right? You don't HAVE to buy a flagship $1k+ device. And a lot of these arguments are for older people who wouldn't be spending that much on a device anyway. Plus here in the US pretty much every carrier has phone payments built into your bill so you can get a high end phone for like ~$30-$40 a month and nothing up front. The barrier to entry is super low. 

 

Yes, I do not agree with forcing upgrades every 2-3 years, but if they are saying my 7-8 yr old android phone is no longer getting updates... well duh. It barely can handle what is has on there now since apps keep updating, and if all I wanted was a phone/text device, then i'm not doing anything on it really to compromise myself anyways. Think this is all blown more out of proportion then it needs to be. (I'm currently using a LG v20 from the end of 2016 without any issue)

[Ashley MLP Fangirl]

26 minutes ago, _Syn_ said:

It's about how long Android phones are supported, the majority of them are only supported for 2 years at most and to make it worse security patches take ~6 months on average to be available on your device if at all, that's why there's that high 1 Billion number when the active android users are 2.5 Billion, and I bet it's even higher than that if they consider the delay it takes for an android phone to get a security patch, even if it's eligible for it eventually.

Android One is set to change that. 

https://en.wikipedia.org/wiki/Android_One

my Nokia 7.2 has it, and I have more than 2 years of updates (iirc, wikipedia says so) and I got an update 2 days ago iirc, which was the February 5 security patch. so I'm about a month behind. 

 

44 minutes ago, RejZoR said:

With Android, even if you want to, you just can't update because there aren't updates coz vendors simply don't offer them. You need to buy a new expensive device. Which is just unacceptable. It's one of reasons why I ditched Android devices and went with iPhone. And it really is as good as it sounded like. Pretty much guaranteed updates for 5+ years with updates released on exact day they announce the release. If Android had that, I'd even look past stupid anti privacy Google ecosystem. But it's nothing like it. Getting updates on Android is pretty much gambling.

Android One is a lot better than what it used to be like. granted, it's not as good as Apple's support, but you pay a hefty price for that. an iPhone 8 (an almost 3 year old phone!!!!) is still €500 where I live. my Nokia cost me €310, the specs are vastly improved and I have 3 years of updates I believe, otherwise two. considering I paid pretty much half for my phone than the cheapest brand new iPhone I could find that's reasonable to buy (although a 3 year old phone at €500 is still madness) and that you can buy cheaper android one devices than my phone was I'd say the argument of support from Apple doesn't really stand anymore. 

[Doobeedoo]

Well, nothing too surprising now is it, like stated above it's like Win ver. kinda. I'm on S6 still and works fine, but one thing for sure is needed to change and that's the longer support for Android upgrades and security updates. 

[RejZoR]

@Twilight

iPhones hold their price well. That's good and bad at the same time. Bad that you can't buy them cheap used and good they don't depreciate as quickly when you do have them.

[jagdtigger]

Galaxy S5 runnong Android 9, not effected....

 

[Sauron]

2 hours ago, TVwazhere said:

This is like saying 30% of windows users are at risk of being hacked..... Because they're still using Windows 7. It should be fairly plain to most people that if you're not getting security updates, you're eventually going to be vulnerable to some new attack. 

 

(I'm not saying there's anything wrong with Win 7 or Android 6 and below, it's just....... Not surprising)

I think the major difference is that unlike updating from 7 to 10 this would require the purchase of a new device. Or a custom rom. My phone is on Android 6 but I see little reason outside of that to change it - I think companies should be forced to provide software updates for at least 5 years or at least make it possible for the community to provide support.

 

With that said, unlike Windows it's not very likely for a normal user to install a malicious app and for web based threats hopefully we can rely on browser updates.

[BigDamn]

Sticking with Android 8.0 on my Note8 for as long as possible. Prior to that it was 4.4.4 on my Note4

[RejZoR]

3 minutes ago, Sauron said:

I think the major difference is that unlike updating from 7 to 10 this would require the purchase of a new device. Or a custom rom. My phone is on Android 6 but I see little reason outside of that to change it - I think companies should be forced to provide software updates for at least 5 years or at least make it possible for the community to provide support.

 

With that said, unlike Windows it's not very likely for a normal user to install a malicious app and for web based threats hopefully we can rely on browser updates.

Companies should be forced to open up drivers after the official support period. So they are not forced to have huge expenses with support, but at least give others chance to provide it. Coz biggets issue with support are drivers for modems, chipsets etc, basically for all the internal components. It's usually a reason why ROMs for some devices just never happen. Then maintainers like LineageOS can do their magic.

 

I'd prefer a longer official support, but that's unlikely with rate at which everyone but Apple are churning out phones. I bet Samsung released more phones just last year alone as Apple has in last decade... Of course they aren't going to do so much work to support them all.

[Guest]

17 minutes ago, jagdtigger said:

Galaxy S5 runnong Android 9, not effected....

 

Which is fine for those who can or know how to do it. What we can glean from these figures is that many cannot, or simply don’t know they should.

[SpaceGhostC2C]

Just now, Sauron said:

I think the major difference is that unlike updating from 7 to 10 this would require the purchase of a new device. Or a custom rom. My phone is on Android 6 but I see little reason outside of that to change it - I think companies should be forced to provide software updates for at least 5 years or at least make it possible for the community to provide support.

OR we should move to a hardware =/= software paradigm as in PC, so Linux-like software can be continuously developed in a more hardware-agnostic fashion...

Yes, I'm only dreaming: like we would ever steer our demand based on what's important  

[Sauron]

1 minute ago, SpaceGhostC2C said:

OR we should move to a hardware =/= software paradigm as in PC, so Linux-like software can be continuously developed in a more hardware-agnostic fashion...

But then you would have this same problem with firmware updates and to make a platform agnostic version of android you'd need access to all the device drivers.

4 minutes ago, SpaceGhostC2C said:

Yes, I'm only dreaming: like we would ever steer our demand based on what's important  

Ah, but we could regulate if it actually solved the core issue, that is.

 

But I think the core issue is copyright law as a whole. Ultimately, if you recognize the right of a corporation to control a device's software once that device has been sold, any regulation on the matter is just an inadequate patch on a gaping hole.

[Gegger]

I have a Nexus 5 and since there's a lot of stuff that I can't risk losing on it, so yay! /s

[RejZoR]

22 minutes ago, Sauron said:

But then you would have this same problem with firmware updates and to make a platform agnostic version of android you'd need access to all the device drivers.

Ah, but we could regulate if it actually solved the core issue, that is.

 

But I think the core issue is copyright law as a whole. Ultimately, if you recognize the right of a corporation to control a device's software once that device has been sold, any regulation on the matter is just an inadequate patch on a gaping hole.

It's ALL about drivers. Just few days ago I've installed Manjaro on my laptop. Turns out, it works great with it, EXCEPT the drivers for WiFi thingie which just dont exist. I've managed to fix it by copying bunch of meaningles noodles into console and installing new kernels, but that really shouldn't be the way. Situation on phones is far worse actually. Not only there is often impossible to unlock bootloader, when you can it's incredibly fiddly and overcomplicated process. Then you want to install some "open source" ROM that you found, just to see your device is not supported. And when you do find supported one, a lot of apps bitch that you have unlocked bootloader and refuse to work. It's a nightmare to deal with.

 

If drivers were open, people would prepare and package them for use. I don't think open source drivers would reveal anything that competitors haven't already scrubbed out by reverse engineering things from their competitors. As draconian as it might sound, forcing vendors to open them up if they want to sell products might be the way that would benefit the consumers.

[rcmaehl]

You have tons of choices for continued updates on Android Devices:

 

LineageOS

Resurrection Remix

AOSPE

And a dozen or so more