Duo Security is claiming that “over half” of Android devices have unpatched vulnerabilities.
The company’s Jon Oberheide says in this blog post that the results come from the first slew of users of the company’s X-Ray Android vulnerability scanner.
Promising to announced detailed results on Friday (September 14) at the Rapid7 United Summit conference in San Francisco, Oberheide says the results come from X-Ray scans of more than 20,000 users of the software – the sample base from which Duo draws its “50 percent” claim.
The of vulnerabilities X-Ray tests for include a bug ASHMEM that allows devices to be rooted; Exploid, in which Android’s init daemon forgets to confirm that Netllink messages are coming from the trusted kernel; Gingerbreak, which exploits the same Netlink issue but uses the volume manager as its vector; the Levitator privilege escalation bug; along with the Mempodroid, Wunderbar, ZergRush and Zimperlich bugs.
Android patching is a pain in the neck, involving as it does the complex ecosystem of Google, device makers and carriers. The easiest way to get an up-to-date version of Android is to buy a new device.
Alternatively, we could just wait until Android is sued off the face of the planet and replaced by a new Google operating system. ®