Since 2014, Google has published a “Year in Review” report focussed on security for the Android platform. The 2018 edition — covering “Android Security & Privacy” — is now available, with Google detailing its efforts and providing various statistics that show an overall improvement.
This is the fifth annual Year in Review and coincides with the tenth anniversary of Android. The report covers recent security enhancements and in particular provides various statistics related to malicious apps. At a high-level, Android’s strategy is focussed on “layered security,” “transparency,” and “Backed by Google.”
According to Google, .08% of devices that only installed applications through the Play Store were affected by Potentially Harmful Applications (PHAs) in 2018. This is due to Play Protect, which works to scan all apps on an Android device regardless of installation origin.
In contrast, devices that installed apps from outside of Google Play were affected by PHAs 8 times more often. Compared to the previous year, even those devices saw a 15% reduction in malware due to the vigilance of Google Play Protect.
In 2018, Google began labeling and tracking click fraud apps that simulate ad clicks as PHAs. It notably accounted for 54.9% of the total installation rate. Other related stats include:
- In 2018, 0.45% of all Android devices running Google Play Protect had installed PHAs, compared to 0.56% of PHA-affected devices in 2017. This equates to a 20% year-over-year improvement to the health of the Android ecosystem.
- Google Play Protect prevented 1.6 billion PHA installation attempts from outside of Google Play in 2018.
Google is also looking for PHAs during the OEM development process by making available a Build Test Suite (BTS) for partners. The tool prevented 242 builds with PHAs from entering the ecosystem.
OEMs submit their new or updated build images to BTS. BTS then runs a series of tests that look for security issues on the system image. One of these security tests scans for pre-installed PHAs included in the system image. If we find a PHA on the build, we work with the OEM partner to remediate and remove the PHA from the build before it can be offered to users.
Another improvement was an 84% year-over-year jump during Q4 2018 in the number of devices that received a security update. Google cites Treble, Android One, Android Enterprise Recommended, and “new original equipment manufacturer (OEM) agreements.”
On the vulnerability identification front, Google “surpassed $3 million in total reward program payouts.” During Mobile Pwn2Own, the company notes that “none of the exploits demonstrated against devices running Android utilized a security vulnerability in the Android operating system.”
Further, in 2018, no critical security vulnerabilities affecting the Android platform were publicly disclosed without a security update or mitigation available for Android devices.
Google also highlighted several Pixel statistics including how “no exploits successfully compromised” the Made by Google devices, while “over 95% of deployed Google Pixel 3 and Pixel 3 XL devices were running a security update from the last 90 days” as of December 2018.