29% of Android devices can’t be patched by Google

Google on Tuesday released the second annual security report on its “toxic hellstew of vulnerabilities,” or what the rest of us know as Android.

You might recall that ZDNet’s Adrian Kingsley-Hughes bestowed this memorable and burbly description on Google’s mobile operating system two years ago, when Android device vendors were lagging in patching vulnerabilities such as Heartbleed on their devices.

Apple CEO Tim Cook loved that description. He put it on screen at Apple’s WWDC developers conference. He also put up a slide of a pie chart showing that 99% of mobile malware was on Android.

They say it got a big laugh. Oh, baby. Neither love nor money can buy you better verbiage for your company slideshow.

Jump forward a year to 2015 and Google’s first-ever Android security report.

Google must have been muttering “Who’s laughing now?” the whole time it was pulling together the review of Android security in 2014, given that it would claim, more or less, to have demolished malware.

Fewer than 1% of Android devices had any malware, Google said in the 2014 report, thanks to scanning done by a product named Verify Apps that sniffs out viruses, ransomware, or other Potentially Harmful Applications (PHAs).

Well, that’s a nifty trick, Naked Security’s Paul Ducklin noted: Google went and “solved” the malware problem by defining it out of existence.

Why fuss with all those scary-sounding subcategories – spyware, backdoor, call_fraud, sms_fraud, phishing, DDoS , ransomware, and even generic_malware - when you can just roll them all up into the much milder-sounding uber category of “potentially” harmful apps?

Nomenclature aside, even “just” 1% of devices vulnerable to PHAs – what most of us simply call “malware” – out of 1 billion Android devices still adds up to more than 10,000,000 PHA-infected Androids in the wild at any time, as Paul observed.

Jump forward another year to the most recent report, released on Tuesday, and you’ll see that Google’s still got some stew to work out thanks to the Android ecosystem, where patches are still doled out by whim from device makers and phone carriers.

In the wake of Stagefright, that nasty security hole in Android, Google and Samsung last August had launched monthly pushes of security updates.

In contrast, some phone carriers seemed stuck in the mud, bogged down by the work of wrapping their own software around Android updates: a consequence of Google leaving updates in the hands of its partners.

Google said in the most recent report that since it began the monthly security pushes, there are still “many” Android devices not receiving monthly updates. It’s going to keep pushing partners to get with the program and update devices “in a timely manner,” the company said.

Google also said that in 2015, it checked over 6 billion installed Android apps per day to protect users from PHAs. It also scanned 400 million devices per day to protect users from network-based and on-device threats.

Google also said that 70.8% of all active Android devices are running modern versions of Android that it supports with patches. Flip the number around, and you’ll find that Google said that it can’t get patches out to 29.2% of Android devices.

That unpatchable landscape maps out like this: Google said in September that there were 1.4 billion active Android devices worldwide at the time.

That translates to some 409 million unpatchable, active Androids: one big cauldron of hellstew.

Presumably, some of the 29% of untouchables can be patched at the whim of vendors. That and $4 will get you a venti latte.

And that, of course, gives you the chance to sit around in a hotspot and pray your phone maker whims you patches so you don’t pick up something nasty off the “free” Wi-Fi.

Image of Android device courtesy of Twin Design / Shutterstock.com