Google has released its fifth annual Android Security & Privacy Year in Review report for 2018, which addresses the state of the Android ecosystem in terms of known vulnerabilities and potential threats, and addresses how Google’s latest features and improvements have affected privacy and security for end users. The company says it has increased its efforts to be transparent and publish regular reports, along with educating users and pushing software updates more aggressively and directly. According to Google’s announcement of the report, the highlights of this year are how new Google Play Protect features have addressed risks, the detection of potentially harmful applications, updates on Google’s vulnerability rewards programme, and overall platform security enhancements.
This year, which happens to mark the 10th anniversary of the Android operating system. Google says it has made massive investments in security and privacy technology. The biggest finding of the report is that only 0.08 percent of devices on which apps were downloaded only through the Google Play Store were affected by potentially harmful applications (PHAs).
The company credits this to its Google Play Protect features, and says that devices on which apps were installed from other sources were affected by PHAs eight times as often. Google Play Protect scans over 500,000 apps every day using machine learning techniques in the cloud as part of its vetting process, and is now enabled by default on all new Android devices. Google also now helps manufacturers scan their Android builds before shipping potentially compromised phones into the ecosystem, and says that it prevented 242 such incidents in 2018. The report states that 0.92 percent of all sideloaded apps were PHAs in 2018, down from 1.48 percent in 2017.
Specifically regarding India, which is “by far the biggest market” for Android, according to the report, the market became 35 percent cleaner year-over-year, with only 0.65 percent of all devices being affected by PHAs at any point of time. India also ceased having the highest rate of PHA issues, with Indonesia taking over. The most common threats in India were a video app that mines cryptocurrency in the background, and various trojans and backdoors pre-installed on new phones or introduced through “untrustworthy OTA companies”.
India is also the biggest targets for trojans at 22.4 percent, followed by Germany at 6.5 percent. About 0.007 percent of all app installs and 16 percent of all PHA installs through Google Play were infected with trojans in 2018, which was actually an increase of 0.004 percent over 2017. The most commonly used trojan is the Idle Coconut family which turns affected devices into endpoints for commercial VPN providers without the knowledge or consent of the device owner. For app installations from outside Google Play, India accounted for 27.7 percent of trojan activity, particularly apps that try to mine cryptocurrency in the background without user consent.
Hostile downloaders, or apps that facilitate the installation of other apps, often for profit, also targeted India in particular, with 18.9 percent of such threats occurring here. These are attributed to third-party app stores with lax security, fake app stores designed specifically to spread malware, OEMs who preinstall them, and users who download seemingly useful apps that conceal such behaviour.
The next biggest threat is SMS fraud, which comprised 0.003 percent of Google Play app installs and 6.8 percent of PHAs. India is not as highly targeted, with only 2.1 percent of such threats being directed here. Google says that as of October 2018, an app cannot even ask for SMS permissions in Android unless the user has set it as his or her default SMS app.
Google says that no security flaws compromised its Pixel series devices in 2018, and there were no major security threats for the Android platform that became known before the company had already managed to develop a mitigation.
Google regularly rewards outside researchers and security enthusiasts who detect and report potential threats and tighten security. According to the report, Google has now paid out over $3 million in reward payouts. The company says it has partnerships with several research firms and conducts competitions to help surface potential threats.
Thanks to the improved frequency of security updates and initiatives such as Project Treble that aim to allow phone manufacturers to deliver Google’s periodic updates to users outside of major software updates, which might come late or not at all. The reports states that 84 percent more devices received an update in Q4 2018 than in Q4 2017. Further, 95 percent of Google’s Pixel 3 and Pixel 3 XL (Review) smartphones were running updates no older than 90 days as of December 2018.