Android Year In Review: No Successful Stagefright, Certifigate Exploits

Plus, Android users who install apps outside of Google Play are 10 times more likely to have installed a potentially harmful application, according to new Google Android Security Year in Review report.

Despite the size and complexity of the Android ecosystem, actual user devices escaped any attempts to exploit the StageFright and Certifigate vulnerabilities discovered in 2015, according to Googles new
Android Security Year in Review
.
Improvements Google has made to its official Google Play app store, as well as to the Verify Apps service that warns users about Potentially Harmful Applications (PHAs) when they download them from outside Google Play, appear to be paying off.
After Google added a red icon and exclamation mark to its Verify Apps warning dialog, 50% fewer users voluntarily installed PHAs. Google also added a new capability to Verify Apps, so that it can in very exceptional occasions remove applications that register as device administrators, as was the case when the Android team decided to take action to protect users against a Russian banking fraud scheme.
Nevertheless, it is inside Google Play where Android users are safest. Devices that allow apps downloaded from outside Google Play are 10 times more likely to have PHAs on them than those that do not. PHAs were found on less than 0.15% of devices that only get apps from Google Play; 0.5% of devices that get apps from Play and other sources.
Although installation attempts by PHAs outside of Google Play increased, installation attempts within Play decreased by over 40%. The biggest increase in attempts was by hostile downloaders, from 0.06- to 2.60% of installation attempts.
Ghost Push
The spike in hostile downloaders was almost entirely due to a family of Trojan downloaders called Ghost Push, which boasted over 40,000 apps.
During a seven-week period in the summer of 2015, Ghost Push installation attempts contributed up to 30% of all attempts worldwide -- equalling 3.5 billion attempts in all. Upon further investigation, the Google Android team tracked back many of the attempts to an over-the-air update provider for device manufacturers and carriers in the Southeast Asia region. The OTA update provider also provides a remote application installation service, and apps in the Ghost Push family were among those the company was attempting to install.
The number of affected devices was far lower than the number of attempts, since an unsuccessful attempt might be repeated hundreds of times; Google researchers estimate that there were only about 4 million affected devices, and their clean-up efforts working with the OTA provider reduced the impact by about 90%.
Gain insight into the latest threats and emerging best practices for managing them. Attend the
Security Track
at Interop Las Vegas, May 2-6.
Register now
!
Google also reported that ransomware is almost exclusively distributed outside of Google Play, and only accounting for less than .01% of total app installs, mostly targeting Russian-speaking users via porn apps or fake media players.
Through its bug bounty program, the Google Vulnerability Rewards Program, Google paid $210,161 for Android vulnerabilities, including 30 critical and 34 high-impact.
Related Content:
Mobile Security: Why App Stores Don’t Keep Users Safe
How Some Apple, Android Mobile Tax Apps Put Sensitive Data At Risk
AndroBugs: A Framework For Android Vulnerability Scanning
Stagefright 2.0 Vuln Affects Nearly All Android Devices

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Android Year In Review: No Successful Stagefright, Certifigate Exploits