In the first quarter of 2018, the G DATA security experts detected an average of 9,411 new malware every day for the popular Android operating system. This means: A new malware appearing every 10 seconds. For 2018 as a whole, the G DATA analysts are forecasting around 3.4 million new Android malware. The latest figures prove the growing threat to smartphone users. Cyber criminals know only too well that the mobile all-rounders have long been used for all digital tasks, from shopping to banking. The Android developers make every effort to equip all smartphones and tablets with important updates more effectively and more promptly. As: Today's state-of-the-art devices are less exposed to attacks from the cyber criminals due to closed security holes.
Google does not certify smartphones with outdated Android
Google is no longer certifying devices equipped with Android 7 ("Nougat") as the operating system. The decision is not surprising, as, with “Project Treble” and other measures, the company is already taking steps to convince manufactures to equip smartphones with updates and the latest version of Android in good time.
For manufacturers, it is very important that their equipment is certified. This is the only way to gain access to Google Mobile Services, which includes all of the company's services and apps, including the Playstore. The requirements for manufacturers to obtain certification are laid down in the so-called “Compatibility Definition Document”. Today, smartphones and tablets have to be delivered with Android 8. This ensures that “Project Treble” is implemented on all new devices. But have manufacturers already found loopholes? This is suggested by a recent report from the security researchers of Security Research Labs.
Are manufacturers cheating with the Android updates?
Security experts are criticising smartphone manufacturers for deceiving customers about updates to their devices and the installed Android operating system. More than 1,000 smartphones, including devices from well-known manufacturers, are affected, especially in the entry-level and mid-range categories. The user is told that the device has all available security updates and is up-to-date, when, in actual fact, they are nowhere to be found.
Manufacturers even go so far as to change the date of the last update without actually offering new content. Users do not notice this and assume that their device is up-to-date.
But this is not always done in bad faith. For some manufacturers, technical problems can be behind the incorrect delivery of updates. The built-in processors are also crucial: Smartphones with Samsung chips, for example, are far less affected than devices with processors from Mediatek. The reason: Smartphone manufacturers rely on processor vendors for patches. If the chip manufacturers do not deliver, the providers of the devices cannot publish the update.
Consumer protection lawsuit against the update jungle
The update jungle is as confusing for consumers looking to buy as for the professionals. In the case of low-priced smartphones, buyers are often ready to put up with a lower quality of camera for example. This information can easily be found in the product description. But there is no way to see when, if or how long updates for each device appear. Most of the time, there is only a reference to the factory-installed version of the operating system
The North Rhine Westphalia consumer advice centre wants to see this change. Last year, the body sued an electronics retailer who was offering a smartphone for € 99. Already at the time of the sale, the device had remediable security holes. As: It was fitted with the outdated Android operating system version 4.4 ("Kitkat"), which first came onto the market in 2013. Even after remarks from the Federal Office for Information Security (BSI) in 2016, the manufacturer took no action. Updates for the smartphones failed to appear.
The consumer advice centre could also have sued Google as the developer of Android, or the manufacturer of the mobile device, but finally decided to go after the retailer, as it is the immediate contracting party for consumers and has the duty to inform customers about existing vulnerabilities in a new device.