The Android ecosystem contains a hidden patch gap
Installing updates every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that some Android vendors regularly miss patches, leaving parts of the ecosystem exposed to the underlying risks.
Android exploitation is still hard
Modern operating systems include several security barriers, for example ASLR and sandboxing, all of which typically need to be breached to remotely hack a phone. Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack.
The criminal ecosystem seems to understand the challenges in hacking Android phones. Instead of exploiting known software vulnerabilities, criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android in 2017.
That leaves state-sponsored and other persistent hackers, who usually operate stealthily. These well-funded hackers would typically resort to “zero day” vulnerabilities but may also rely on known bugs to develop effective exploit chains. Patching known bugs hence increases the effort for these very determined hackers.
Be aware of your Android patch level
As Android is ever increasing in popularity, the hacking incentives will only keep growing, as does the ecosystem’s responsibility for keeping its users secure. No single defense layer can withstand large hacking incentives for very long, prompting “defense in depth” approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android.
Now that monthly patches are an established baseline for many phones, it’s time to ask for each monthly update to cover all relevant patches. And it’s time to start verifying vendor claims about the security of our devices. You can measure the patch level of your own Android phone using the free app SnoopSnitch which can check for security patches. https://f-droid.org/app/de.srlabs.snoopsnitch
Read more... https://srlabs.de/bites/android_patch_gap/
and-priv-sec recommends -
* using devices which are still getting full security updates from their vendor
* only use apps from a trusted app store - Google Play or better yet FDroid, which has yet to have any known malware.