14 Sep 2012
A mobile application developed by security researchers at Duo Security revealed that more than half of mobile devices running Android are exposed to unpatched security flaws. The application is called X-Ray and does not attempt to find bugs in third-party apps installed, but rather looks for known, unpatched vulnerabilities in the mobile operating system.
According to Jon Oberheide, co-founder at tech startup Duo Security, half of the 20,000 analyzed mobile phones have unpatched vulnerabilities that would allow an attacker to take control over a smartphone. The percentage is somewhat optimistic, given that the data shared by Google with the Android developers positions the Gingerbread and earlier Android versions at a whopping 75.8 percent.
“Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far,” wrote Oberheide in a blog post. “We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally”
X-Ray is able to scan for known vulnerabilities including ASHMEM, Exploid, Gingerbreak, Levitator, Mempodroid, Wunderbar, ZergRush and Zimperlich. Some of these bugs are still being used by phone owners to willingly root their own phones so they can install other operating systems on them. Sometimes, though, malware uses them to gain administrative (root) privileges on the smartphone and take over.
In the mobile world, patching is done differently than on computers. Many carriers decide to block the installation of newer versions of Android for low-end and mid-range terminals in order not to max out their hardware capabilities. At the moment, the most effective forms of patching involves either rooting the phone and installing an alternative ROM (such as Cyanogen), or buying a new smartphone with extra hardware capabilities and a newer operating system.