Report: Half of Android devices have unpatched holes

Researcher says carriers are more focused on developing new products than securing the old ones.

More than 50 percent of Android devices have serious vulnerabilities that are unpatched because carriers are often slow to update the software, a mobile security researcher says.

"Since we launched X-Ray [Android app used for scanning for vulnerabilities], we've already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary," Jon Oberheide, chief technology officer at Duo Security, wrote in a blog post. The results are then extrapolated using Google's published data on Android versions, he said.

Oberheide, who will be presenting the full details of his research on Friday at the United Summit conference in San Francisco, says the vulnerabilities detected by X-Ray are serious. "That is, if the user has installed a malicious app or an attacker has gained code execution via a browser exploit, these vulnerabilities allow for privilege escalation and full control of the device," he wrote in an e-mail.

The vulnerabilities can remain on devices for months or even years because carriers are "very conservative" in rolling out patches to fix bugs in Android, mostly because it is expensive to develop, test and deploy an update, according to Oberheide.

"When you think of all the possible handsets they have, and all the various software configurations and customizations, you can imagine the extensive testing that must be done even with the slightest change to the software. Carriers are also very conservative because, if they do screw up and end up bricking a couple million users' devices with a poorly tested update, they'll take a significant financial hit from their user population fleeing to other carriers," he wrote.

In addition, carriers don't have much incentive to patch and keep devices up to date; there is no liability if user devices are compromised as a result of unpatched holes, he said. Carriers "would much prefer to put effort towards the latest and greatest devices that users will shell out more money for, instead of sinking money into existing devices," he said.

When asked to comment on these allegations and the report results, an AT&T spokesperson provided this statement: "Patches must be integrated and tested for different platforms to ensure the best possible user experience. Therefore, distribution varies by manufacturer and device."

"Security updates are a top priority and treated with the utmost urgency," a Sprint spokesman said in a statement. "We would never knowingly withhold or prevent release of a software update containing a security patch. Sprint delivers security updates as they are made available."

Representatives from Verizon and T-Mobile said they were looking into the matter. We will provide an update when they respond. A Google spokeswoman said the company had no comment.

Tim Wyatt, principal engineer at mobile security provider Lookout, cautioned against reading too much into the numbers. "While 50 percent sounds bad, it's substantially better than when we studied the prevalence of vulnerable devices in 2011," he said in an e-mail. "One caution around the study is that there are not indicators in this study that patch cycles have actually improved from last year, as more vulnerable devices could be just 'aging out' and being replaced with new devices that are shipped without these vulnerabilities."

Meanwhile, "Apple largely avoids this issue by controlling the full mobile stack," making a comparison between the platforms tricky, Wyatt said.