Why Android Security is important

Android security should be hot on IT’s radar this year, in our recent Cloud Security Report for 2021 we reviewed some of the major security events and trends over the past year and identified some pertinent to Android. We found that:

  • 52% of organizations experienced a malware incident on a remote device in 2020, up from 37% in 2019; a 41% increase. 
  • Android was 5.3x more likely to have a vulnerable app installed than iOS devices. 

According to Panasonic Business research, Android is typically the preferred OS for businesses with 72% of handheld devices using the Google OS. However, despite broad adoption, there are still security and device management concerns for businesses. These concerns can be exacerbated by remote working, many businesses have had to adopt BYOD strategies.

The Android OS is a far more open platform than its Apple counterpart, and not putting sufficient security provisions to ensure an Android device meets baseline security requirements will introduce unnecessary risk.

Examples of Android Security incidents

In 2020, there were a number of Android security incidents including:

  • A severe ‘StrandHogg 2.0’ zero-click bug affected devices running Android 9.0 or earlier. This vulnerability enables hackers to hijack any application, giving them access to personally identifiable information (PII). 
  • The March 2020 Android Security bulletin confirmed an elevation-of-privilege vulnerability (CVE-2020-0069) that not only affects millions of Android devices but which is also being actively exploited by cybercriminals.
  • There were serious issues reported with Google’s Play Protect, a malware protection tool that wasn’t able to prevent all dodgy apps from reaching users’ devices. Threats continue to evolve, e.g. zero-day bugs, To stay secure during times of remote work, where IT lacks visibility over devices, it’s crucial for businesses to further understand the implications of Android security and to employ the belts and braces to protect them. 

It’s by no means an exhaustive list of Android security issues but demonstrates that without keeping an eye on OS-specific security issues, your business is potentially exposed. A problem of managing security for a number of devices is user behavior.

Android security and user behavior

We touched upon user behavior in relation to Android devices in our Cloud Security Report. You may remember the much publicized WhatsApp vulnerability in 2019, which enabled attackers to spread malware using a GIF file, only 50% of users made that security update within that month. 

Compared to iOS users, it seems like Android users are less diligent when it comes to updating their OS: Android Security: graph demonstrating updates vs. iOS

Staying on top of device health is a tall order for IT administrators, and doing it manually is a non-starter, particularly for Android which is a less standardized platform compared to iOS.

Read more: Wandera’s Cloud Security Report 2021

Our study found that businesses with 500 users or less run 11.3 different OS versions, on 1.4 different OSs, across 1.8 different models. In contrast, larger organizations with 500 users or more run 39.4 different OS versions, on 1.6 different OSs, across 2.6 different device models. 

As you’re spending more time ensuring OSs are up-to-date, you may find you potentially have less time to monitor device health and app security, which could be detrimental to your environment. 

Android security and third party app stores

Third party apps are any app or store which aren’t native to that device, so it’s created by a vendor different from the manufacturer who created the device or OS. Most of the apps available on third party app stores are available on the Google Play Store, but there are a few popular exceptions like Fortnite, Viper4Android and XTunes. We identified 1 in 10 Android devices used for work contained a third-party app store installed – for example, one that isn’t iOS or Google Play store. 

Although these apps may appear secure because they’re hosted on a seemingly reputable app store, this isn’t always the case. The vetting process for third party apps stores is typically less robust than the official stores, which make them more susceptible to malicious and risky apps. 

Developers have designed specific apps with built-in scams or modes of fraudulent activity, which appear to the average user as legit through third-party marketing. The impact that dodgy mobile ads can go further than irritating pop-ups, can also reach a device via legitimate ad networks through malvertising. In the past, we’ve seen dodgy apps appear on the Android app store, even though you’d assume they would’ve passed numerous security checks, such as anything created by the developer’s Tap Sky. Many of these have obvious signs of being untrustworthy with pop-ups appearing all over the screen and making the device unusable, however, some are cleverly deceiving.

For example, popular third-party app store Fortnite gives users access to their games so as to avoid giving 30% of their profits to Google. If your users are working in a BYOD environment, but your child wants to play a game hosted on that store – why wouldn’t you download this? More specifically, if you look on the Epic Games site instructions for download on Android (owners of Fortnite) it doesn’t mention anything about security risks – all people want to do is download the Fortnite games. The main issue here is that third-party app stores are not upfront about security risks. 

For instance, Google discovered in Fortnite’s Installer there was a vulnerability that could be exploited to hijack the request to download Fortnite from Epic to secretly download something else.

That said, both the Play Store and App Store have their fair share of malicious apps. Employees need to be mindful of what applications they download. For corporate-owned devices, it is far easier to administer the applications that are installed, however, in a BYOD environment, control is limited so a better understanding of device health is needed to allow secure connection to corporate services.

Android’s rooted devices

In 2020, we found a 20% increase in rooted Android devices used for work purposes. This becomes problematic because rooting disables some of the security features which makes the OS safe, it also prevents users from updating the OS. As we’ve mentioned, today’s online environment is rife with threats.

In the case of Android, for users to access sideloaded or dodgy apps, the device would need to be rooted. Android’s default configuration does mean that sideloaded apps cannot be downloaded onto the device, but users have been able to disable and tweak this. Our data found that one in five Android users configure their devices so they can access third-party installs. 

Read more: Wandera’s Cloud Security Report 2021

Recommendations for Android Security

Our recommendation to IT teams and business leaders is to ensure you have the correct tools to manage Android devices. A good first step would be to sign up for Android security bulletins to find out about any vulnerabilities and threats. You should also ensure you have app vetting in place to gain a better understanding of app permissions and their implications. You can also sign up for our newsletter for breaking news on security incidents and how you can remedy them. 

Wandera’s Private Access solution uses a Zero Trust architecture which safeguards your company data against adversaries. We also use MI:RIAM, the first AI advanced threat intelligence engine of its kind, which scans your apps continuously. In the last 12 months, we’ve checked 72 million apps for malicious codes, suspicious developers, dangerous permissions, anomalous characteristics. To find out more visit our Private Access page here. 

android security and power of MI:RIAM
image of MI:RIAM stats, captured on 25th Jan