Every few months, there is a security vulnerability in Android that allegedly affects hundreds of millions of Android smartphones. In recent years, for example, Quadrooter and Stagefright. Both security vulnerabilities were considerably different. How secure is Android in daily life and what really helps against the dangers from the internet?
Quadrooter exploited several security holes in Qualcomm drivers, which caused a stir in the summer of 2016. Nine hundred million Android devices were affected. Danger! Danger! At least that's the way it was presented by those who discovered the gaps. However, in order to take advantage of the Quadrooter vulnerability, the attacker must be able to install and run a suitably designed app on a smartphone.
The Stagefright vulnerability was quite different. This was hidden in the functions for the processing of media files or streams. The problem: even a video sent as an MMS could be exploited. An attacker could send a file to the user and the dangerous code would be executed. Starting with Android 4.0, it is harder to exploit the vulnerability due to system interventions, but it is not impossible.
The difference between the two security gaps is obvious: Quadrooter requires a few steps on the part of the user, while Stagefright could be exploited remotely and without user interaction.
Which standard tools are available against security vulnerabilities like Stagefright, Quadrooter, and others?
Android has several ways of ensuring the security of users. The three most important measures are presented here in detail.
1. Prevent installation of unknown apps
In the Android system settings, there's a setting to allow or disallow installations of apps of unknown origin. This option is deactivated on devices in their delivery state, so you can only install apps from the Play Store. Some manufacturers have their own app store preinstalled, such as Samsung with its Galaxy Apps. For these, the ability to limit the option is not applicable.
This option protects you against malware distributed via a non-reliable app store or simple internet pages. Because such nefarious apps are eliminated very quickly from the Play Store, news about malware in the Play Store has become very rare.
Unknown sources must be activated, however, to use Amazon's app store, or for alternatives such as F-Droid. What can you do in this case?
2. Google's virus scanner
Google's second line of defense does not have compatibility issues, but offers security against malicious apps: virus scanning.
Starting with Android 4.2, this setting is available and now part of Google Play services. By default, this is also activated and you should leave it that way. This setting allows apps to be scanned for possible malware before installation. If malware is discovered, Android denies the installation. At least that's how it works in theory.
Quadrooter doesn't have a chance. Google confirmed with Android Central just a few days after the discovery that Quadrooter malware cannot be installed – as long as the corresponding setting is set. Android's security chief, Adrian Ludwig, asserted it was similar to Gooligan, the malware that, in December 2016, was known to have hacked Google accounts. What's behind these warnings?
In 2015, Android Security Report (as of April 2016), says that with this technique, the threat landscape for Android users could be significantly reduced. With this feature, malware apps stood no chance against Google.
This measure has been improved several times since the first version. Basically, the app verification works by calculating the fingerprint (hash value) of an APK. This is compared against Google's database, which contains possible dangers. Google not only scans apps on the Play Store, but also APKs that are accessible through the web. This simple method is really quite effective, as around 90 percent of all apps installed outside the Play Store are already known to Google and have been scanned for potential security issues.
In addition, Google is able to extract individual features from apps and subject them to a very similar process. This allows Google to detect dangerous features and warn the user, if necessary, and even prevent the installation of such an app. In the meantime, Google even scans the installed apps in the course of the operation and can thus also warn against subsequent manipulations of an already-installed app. In an extreme case, there's even the possibility to remove apps from the smartphone, even if these were given permissions by a device administrator.
However, Google cannot protect against all of the latest malware attacks. But, after a few hours at earliest, or days at the most, almost all Android users should be protected against the installation of a particular malware app – as in the case of Quadrooter. In the Play Store, similar measures are used. Google also analyzes the behavior of the developers registered there, and can prevent unfair practices by app developers.
Calmed by this information, I dared to put it to the test. Why not try to check this protection? So, I activated the unknown sources setting, installed (as a rehearsal) several virus scanners from the Play Store, and I went (quite uninspired) on the search for Super Mario Run for Android as current downloads should be full of malware. The result? The installation worked without problems, several virus scanners warned against a threat. When I looked closely, I apparently had caught an adware, which can be tagged as "unwanted behavior." Obviously, however, this is not a very sophisticated malware that poses danger to my data or mobile phone bill. I didn't get a warning from Google.
My little experiment showed that Google's app scanner lets apps through. It's unclear whether this is a conscious decision: it's conceivable that Google does not classify certain forms of adware as a risk, but wants to find concrete, dangerous functions in apps before it sets off an alarm.
3. Current security patches
Android is based on Linux and there is yet a third layer of protection for users: a current and fully patched operating system is still the most reliable protection.
The really extremely dangerous Stagefright vulnerability has led Google to a rethink: since then, there are monthly security updates for Android. Eighteen patch collections have been released since. To get the complete picture, you should know that Google provides these patches not only for the latest Android version, but the patches are also released (if necessary) for older Android versions back to Android 4.4.
It can also happen that a smartphone with Android Marshmallow is on a safer standing than one with Nougat. The Moto Z with Android Nougat, for example, stands protected by security patches from November 2016, while the Galaxy S7 is on safer standing with its Marshmallow firmware security patches from December 2016. The state of security patches is relevant to the assessment of safety.
Common sense responsibility is irreplaceable
Perhaps a fourth protective wall is, of course, the user himself: if someone disables or ignores all of the above security measures, installs an APK download from an SMS that was sent in broken English, and then wildly sends the code to anonymous numbers, they have violated all the security rules one can think of.
And my hunt for the APK for Super Mario Run? The game has not yet been released, so I should not install it, even if it is offered to me in WhatsApp or on an advertising banner.
It is therefore advised to act cautiously and not take any download offers or security warnings by email, SMS or WhatsApp seriously: using your head and acting responsibly is always a good idea (not just for smartphone security).
Are security apps needed for Android?
My little experiment, outlined above, was clear. Several self-installed virus scanners warned me of the adware being used. Google's security report is primarily to flag potentially dangerous applications, but the antivirus vendors notify of potentially unwanted apps in addition to dangerous ones, which is a lower threshold and thus covers you more.
I would have stayed protected from this adware, by the way, if I had not activated the unknown sources option. Another important aspect is that there are, of course, still other dangers for Android users. Looking at the descriptions of the various security suites in the Play Store, it is also noticeable that the virus scanner functions are only a small component. Much more useful here are the data protection functions or the protection against attacks via web browser and email. So there are quite a lot of arguments for a virus scanner.
Recommended safety settings at a glance
In short, here is the list of recommended actions and settings. First, the important system settings:
- Lock screen and security > Security > Unknown sources: It's best to not allow it or to forbid it immediately after an installation.
- Google > Security > Verify apps
- Scan device for security threats: leave it switched on
- Improve harmful app detection: helps Google detect non-scanned apps. Activate the option.
A virus scanner is especially recommended if you use apps from unknown sources. Besides this: it installs security updates as long as they appear for your smartphone. Does your manufacturer provide any updates? Or only very reluctantly? Write to the manufacturer and let them know they should consider changing their update policy.
Conclusion: Android is safe, but not one hundred percent
Back to the initial question: did Quadrooter really affect 900 million devices? Theoretically, they were vulnerable to the security gap: yes. But the protection measures on Google would have quickly reduced this figure. Especially in Europe, most smartphones are sold with Google services, leaving mostly Asian smartphones without Google add-ons. And anyone who does not allow apps from unknown sources was off the hook anyway (and not really susceptible to the vulnerability).
This also means: Quadrooter is by no means threatening hundreds of millions of smartphones, but a much smaller number of users. It is questionable, of course, whether the app scanning can really intercept all Quadrooter exploits. This should show a more comprehensive test with appropriately prepared apps. I am willing, however, to resiliently stick with Google's all-clear: Google's statements are very concrete and clear.
Stagefright, on the other hand, can only be stopped by a security patch. Here, in fact, most smartphones were vulnerable, so much so that network operators temporarily deactivated MMS delivery. Google, on the other hand, recommends to not allow messenger apps to automatically process media data. The insidiousness of Stagefright is that anyone who has an old Android version without the security patch level is still affected by the vulnerability. Today, we are mainly talking about users who use Android 4.3 and older, but KitKat and Lollipop smartphones are probably still vulnerable too.
Google learned from Stagefright, however, and took the right path with its monthly security patches. Now, the only thing that needs improvement is the distribution of the updates. Here, the manufacturers are specifically asked to distribute the updates to users.
How serious are you about security? Have you taken these security measures already?