While Google has been regularly pushing out patches for Android devices to improve the current state of security in the Android ecosystem, its annual security report shows that Android patching is likely to remain a challenge for years to come (via ZDNet). According to Google’s 2015 Annual Android Security Report, nearly one in three devices will never get latest security patches. Over 70% of Android devices were eligible for the monthly security updates in 2015, leaving almost 30% unsupported to even receive a patch.
Google has released several monthly fixes for its own Nexus devices in the past 8 months and have also passed these on to handset makers for Android 4.4.4 KitKat and higher. However, these updates require handset makers to customize the updates for each device model and then for carriers to push them out to end users. “We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs,” Google lead engineer for Android security Adrian Ludwig said.
“Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices. Despite this progress, many Android devices are still not receiving monthly updates. We are increasing our efforts to help partners update more devices in a timely manner,” he said.
Google also highlights in the report that malware or “potentially harmful applications” is a very low risk for users who only install apps from Google Play, detecting infections on 0.15 of these devices. Devices that install apps from outside of Google Play were around 10 times more like to have malware, it said.
The report notes that over four million Android devices were infected with Ghost Push apps in 2015, and that it has now been removed from 90% of infected devices.