The malware, dubbed “HummingBad,” was first spotted in February and likely sprouted from a company in China. It infects Android devices undetected by setting up a permanent rootkit — a set of software tools that enable an unauthorized user to gain control of a computer system.
But security issues on Android are not new. This is because the third-party device makers and network operators that are responsible for deploying security patches when vulnerabilities are discovered, are often slow to provide updates. Subsequently, the Android ecosystem is fraught with security flaws, which results in a number of setbacks for Android:
It weakens platform security: Android devices receive only 1.26 updates per year on average, according to a study from the University of Cambridge. As a result, known vulnerabilities often go unpatched for extended periods of time. For example, patches for the Stagefright software bug that affected Android devices in 2015 only reached a fraction of Android’s active user base of 1.4 billion.
It makes it more difficult to innovate: Google regularly adds new features to its software, but new capabilities can work only if carriers and OEMs roll out updates for users. This makes it difficult for Android users to receive the same experience as one another and can damage the overall image of the platform.
It creates more work for app developers: Fragmentation is becoming a much larger issue for app developers because it is time-consuming and expensive to maintain an app for several different Android-operating systems.
Google has taken numerous steps to make the Android ecosystem more secure for users. For example, the company announced in May that it would begin publicly ranking phone makers that use its OS, but lag on rolling out software updates. Nevertheless, security in the Android ecosystem will only significantly improve if device manufacturers and network operators make an effort to deploy updates in a timelier manner.