x PhoneArena is hiring! Reviewer in the USA
  • Hidden picShow menu
  • Home
  • News
  • Android security is still important, no matter what Google tells you

Android security is still important, no matter what Google tells you

Posted: , by Kaloyan C.

Tags :

Adrian Ludwig speaking at Black Hat USA 2015

Adrian Ludwig speaking at Black Hat USA 2015

On Tuesday at the RSA Conference held in San Francisco, Android’s director of security, Adrian Ludwig, claimed that there have been no confirmed infections as a result of Stagefright, the massively publicized vulnerability uncovered in 2015, and that complex Android malware basically doesn’t exist. As a result, several popular publications have since run stories on how the whole threat of viruses on Android is overblown, with one even dropping the following gem: “With such low rates of infection, it makes you question whether such security flaws are ever worth worrying about?”

Well yes, they absolutely are.

Google is basing its claims on wildly incomplete data

But let’s start with the facts: as Ludwig claims, Stagefright has resulted in zero confirmed infections in the wild – data based on Google Play Services’ built-in malware detection. All that is good and well, except he conveniently forgets to mention the fact that Google Play is unavailable in a number of countries, most notably China, which also happens to be one of the biggest smartphone markets in the world.

So his claim that no Stagefright exploits exist is based on wildly incomplete data, which also just so happens to fit a “pattern” he noticed – this is military-grade disinformation at its best, and it coming from the head of security for the most widely used mobile OS in the world is downright scary.

But never mind the Chinese – what’s important is no Americans were infected, right? Except that’s not concrete information, either: Ludwig claims no confirmed cases exist, raising the possibility that there were, or maybe even still are, probable candidates. And let’s not even begin discussing the fallibility of Google’s malware detection, which has failed a number of times in the past.

Ludwig may be technically correct, but he's still missing the point

Ludwig did have a point, however: regular users needn’t worry about being hacked by elaborate means such as exploiting Stagefright or its brethren – phishing and adware are a much more common occurence, especially in the mobile world. So the everyday consumer is much more likely to infect themselves, due to their own stupidity and/or ignorance, rather than become an unwitting target of malware.

But this line of thinking is just simple misdirection: while users don’t have to worry about being hacked, the threat of hacking itself is still of great importance, and on a much larger scale to boot. As of a few years back, government officials in the United States are approved to use smartphones when handling classified data. To meet the required security standards, Android devices run specialized forks of the OS with a number of cut features, which presumably include Google Play Services. Or in other words: Google doesn’t have data on one of the biggest markets in the world and one of the most prolific targets of elaborate hacks.

The Qatari government's phishing tactics involved creating fake social media profiles

The Qatari government's phishing tactics involved creating fake social media profiles

But it’s not just governments being hacked – the opposite is also just as true, and much more common at that. Just yesterday news broke out about a massive phishing operation targeting human rights activists in Qatar, which spanned multiple years and targeted hundreds of people. While this was, admittedly, a phishing attack rather than a malware-based one, it doesn’t discount the possibility of the latter being used for similar purposes, it just means nobody has been caught doing it yet.

As for the obvious question this poses: “Why should I care about Qatar?”, consider this: as of March 2015, it's officially the richest country in the whole world, and is also one of the biggest players in the oil industry. It’s also run by a laughably corrupt government with no regard for human rights, a trend which seems to be getting ever so popular these days. Autocracies like these have both the desire and the resources to exploit vulnerabilities like Stagefright, and use them against their opposition. And who’s to say there isn’t a treasure trove of undiscovered bugs stashed somewhere right now, waiting to get abused?

Yet despite all that, the big G has the audacity to claim worrying about security is meaningless. Well guess what, Google, it isn’t – even just a single successful exploit at the right place and time could be disastrous to millions of people, and it’s your job to protect everyone from it. So how about instead of conducting smear campaigns against security researchers, you try not leaving gaping holes in your code instead, okay?

  • Options

posted on 16 Feb 2017, 09:12

1. blingblingthing (Posts: 559; Member since: 23 Oct 2012)

Fair enough.
I believe it's more the case to always be aware. Know where you're getting your apps from. Always remember you didn't win money, so you don't need to send the sender money to cover a wire fee.

posted on 16 Feb 2017, 10:19 3

8. Finalflash (Posts: 3337; Member since: 23 Jul 2013)

Security is very important and should never be taken so loosely as stated. Having said that, the problem with this article is that the author is also coming to the table without evidence. He goes from Google having incomplete data and being lax to conflating a phishing attack to a malware attack that he has no evidence of currently existing. Then he goes on a diatribe about how corrupt the Qatari government is, a place which most viewers here don't care about. He would have been better off using the NSA as an example since they're known for this sort of surveillance. The fact that these exploits have been fixed in anything above android 2.3 goes over the authors head and it seems like, and it likely is, a hit piece by a fanboy author (probably an iFan) like the type iPA hires (Alan, Victor, that one guy without spelling or grammar check, etc.).

posted on 16 Feb 2017, 09:38 1

2. marorun (Posts: 4277; Member since: 30 Mar 2015)

The writter is funny.
How many chinese from china comming to PA?
we dont give a damn if they get infected by using a non official webstore.

posted on 16 Feb 2017, 09:48 7

3. marorun (Posts: 4277; Member since: 30 Mar 2015)

7 years using android never got any issue with malware virus ect.

5 years working for a telecom company and i had as many infected iphone as android ( wich is like 3-4 max of each in 5 years )

Overblown indeed.

Also writter dont tell how iphone also get infected using china based store.
stage fright existed on ios up to a few months back its existed for years ( getting infected by sms and pictures ) but you never ear about it until its patched thats Apple way of giving you false sense of security.

Another anti android article by pro apple website i guess.

posted on 16 Feb 2017, 10:03 2

5. AmashAziz (Posts: 562; Member since: 30 Jun 2014)

This article is about Android; why do have to put Apple inside every hole?

posted on 16 Feb 2017, 10:05 1

7. Leo_MC (Posts: 2003; Member since: 02 Dec 2011)

Stop talking crap: iOS users can't use anything else but the official App Store.
We're not talking about jb devices.

posted on 16 Feb 2017, 10:50 1

10. mikehunta727 (Posts: 333; Member since: 12 Sep 2014)

Ios is up to 6-7x more secure then Nougat, just ask the CEO of the largest blackhat company in the world who pays out$1.5 million per iOS exploit and 7x less for Android exploits.

Android security issues are not overblown at all, there are literally tens of millions if not hundreds of millions of Android devices being abused right now on many Android devices that are OS versions behind with known exploits to unsuspecting users. Right now more then half of the a Android userbase in some aspects is literally years behind in security vs iOS,(Nougat is still lacking some critical encryption features that was present in iOS 4, over 6 years ago) etc

Stagefreight for iOS was found and once it was known, Apple patched it immediately, Stagefreight still affects nearly a billion Android devices in the world right now, less then 3% affects iOS devices, see that difference?

No one literally cares if you did or did not get any malware or virus on Android when hundreds of millions of Android users have/are being exploited right now by known exploits because many Android devices take years to get updates if never

posted on 16 Feb 2017, 10:56 1

12. mikehunta727 (Posts: 333; Member since: 12 Sep 2014)

You talking about false sense of security nothing is worse then that for those who aren't on latest Android version and are using a anti virus from the Play store that literally does nothing but bog down yoUr phone and drain your battery faster LOL...

Lets take a moment of silence for the hundreds of millilns all across the globe right now who are being targeted by hackers/malware in their devices because their devices remain on Lollipop 5.0.1/Kitkat or something like that and are being destroyed by known exploits in these OS versions, people are being abused by Stagefreight/banking malware/much more all on Android right now across the world

posted on 16 Feb 2017, 14:48

15. AlikMalix (Posts: 6695; Member since: 16 Jul 2014)

Hey marorun, for the benefit of doubt, give me three examples of how iPhones were infected and android were infected. How do you know this is a virus/malware infection. Don't google some examples - i know what they are - instead I want your process of how your shop determines and deals with 3-4 iPhones and androids a year!


posted on 16 Feb 2017, 10:00 1

4. Panzer (Posts: 9; Member since: 13 May 2016)

The biggest security issue with all devices is the thing that sits between the screen and the chair.

posted on 16 Feb 2017, 10:04

6. AmashAziz (Posts: 562; Member since: 30 Jun 2014)

Yeah, but that cannot be diminished.

posted on 16 Feb 2017, 10:53 7

11. miguente (Posts: 2; Member since: 30 Jan 2017)

Ok, so dear writer, I've tried to boil down your conjectures here, just to be sure I got it right:

1) Stagefright has resulted in zero confirmed infections in the wild (truth). This means that Google categorically denies that Stagefright exploits may exist (no, you invented that) and that they are misinforming "military-grade" (what?).

2) There are no confirmed cases, which MUST mean that there is a "possibility that there were, or maybe even still are, probable candidates" (yes, like when if there is no confirmed iPhone malware infections it MUST mean that there is a possibility they exist? Nothing is everything?) Also, on another note, Android malware detection sucks (well, apparently it doesn't, does it? Otherwise there would have been actual confirmed cases).

3) Regular users, i.e. everyone who doesn't deliberately open up a phone for intrusion, e.g. unlocks the bootloater, jailbreaks an iPhone etc., needn’t worry about being hacked by elaborate means (the writer just agreed with the message of Ludwig). BUT this is a "misdirection" (you're misdirecting us?): Google Play Services is presumably (the writer makes a guess here to speculate/invent, no facts backing this up) "cut" on the Android devices used by U.S. gov't officials. This means that Google doesn't have data "on one of the biggest markets in the world" (wait, what? First, you don't even know whether Google has data from these devices, second, how does the number of phones wielded by US gov't officials constitute "one of the biggest markets in the world"??? How many hundreds of millions work in the US gov't?)

4) Every day, normal people are targeted in PHISHING (which is not malware-related and thus makes no sense to mention in the context of Ludwig's speech). The recent phishing attack in Qatar must mean that there are malware attacks out there that have just not been caught, and they surely must be on Android (seriously, you are just rambling by now).

5) You should worry about having an Android phone because of phishing in Qatar and because the Qatar gov't is VERY rich and has LOTS of oil and is VERY corrupt. The writer is convinced they want to use Stagefright and other malware against their opposition. Oh, and you should be scared. (While the gov't of Qatar is surely corrupt and wants to fight their opposition by all means, what does it have to do with Google and Android. And what doesn't it have to do with Apple and iPhones, or Microsoft and Surface Books? There is simply no relation here to what Ludwig said on stage.)

6) "Yet despite all that (what?), the big G has the audacity to claim worrying about security is meaningless. Well guess what, Google, it isn’t" (Easy now, the "big G" has not claimed that worrying about security is meaningless at all, far from it. As you put it yourself, that quote comes from a "popular publication" . But you have no qualms claiming that this statement made by a publication not related to Google is suddenly official Google policy. Wow.)

posted on 16 Feb 2017, 11:53 4

13. FlySheikh (Posts: 319; Member since: 02 Oct 2015)

This article is poorly written.

posted on 16 Feb 2017, 15:06

16. Subie (Posts: 1151; Member since: 01 Aug 2015)

It came across as a rant to me.

posted on 16 Feb 2017, 12:52 4

14. RoboticEngi (Posts: 890; Member since: 03 Dec 2014)

It's funny here in our home we have 1 Samsung and 1 iPhone. Guess who had his/her account hacked ...... yes the iPhone ofcourse......which brand was it with all the celebrities? Which brand was it in Australia with the ransomware etc etc etc......im sorry you can cry all day long iphonearena, together with all the sheep. But it's funny how it is some nasty hits your cult OS gets all the time.........

posted on 16 Feb 2017, 17:49 1

17. mikehunta727 (Posts: 333; Member since: 12 Sep 2014)

That really awkward moment when you realize the celebgate hacker actually hacked into more Gmail accounts then iCloud accounts

"Collins' hacking efforts, which involved at least 50 iCloud and 72 Gmail accounts, reinforce the need for consumers to be wary about disclosing their passwords—even when the request appears to come from a site like Google or Apple— and to deploy security measures like two-factor authentication."

72 Gmail accounts vs 50 iCloud accounts


Don't blame the iPhone for your relative's easy password/lack of 2 factor authentication on her/his iCloud account, that is their fault and not iPhone or iClouds fault, take better steps next time.

Also, there is much more malware/exploits on Android vs iOS, the CEO of the largest blackhat company in the world, who offers $1.5 million dollars per iOS exploit vs $200,000 per Android exploit says iOS 10 is up to 6-7x more secure then Android Nougat is, guess how many people are on Nougat? Less then 1% of the Android user base, over 2 and a half billion people are still not on Nougat, Guess how much people are on iOS 10? Over 80% of the active iOS user base.

I am sorry that your a believer in alternative facts and can't critically think for yourself

Want to comment? Please login or register.

Latest stories