Google Online Security Blog: Android Security 2015 Annual Report

Security Blog

The latest news and insights from Google on security and safety on the Internet

Android Security 2015 Annual Report

April 19, 2016

Posted by Adrian Ludwig, Lead Engineer, Android Securitysecond year in a rowhereEnhancing Google's services to protect Android users

We protected users from malware and other Potentially Harmful Apps (PHAs), checking over 6 billion installed applications per day.

We protected users from network-based and on-device threats by scanning 400 million devices per day.

And we protected hundreds of millions of Chrome users on Android from unsafe websites with Safe Browsing.

We continued to make it even more difficult to get PHAs into Google Play. Last year’s enhancements reduced the probability of installing a PHA from Google Play by over 40% compared to 2014. Within Google Play, install attempts of most categories of PHAs declined including:

Data Collection: decreased over 40% to 0.08% of installs
Spyware: decreased 60% to 0.02% of installs
Hostile Downloader: decreased 50% to 0.01% of installs

Overall, PHAs were installed on fewer than 0.15% of devices that only get apps from Google Play. About 0.5% of devices that install apps from both Play and other sources had a PHA installed during 2015, similar to the data in last year’s report.

It’s critical that we also protect users that install apps from sources other than Google Play. Our Verify Apps service protects these users and we improved the effectiveness of the PHA warnings provided by Verify Apps by over 50%. In 2015, we saw an increase in the number of PHA install attempts outside of Google Play, and we disrupted several coordinated efforts to install PHAs onto user devices from outside of Google Play.

New security features in the Android platform
Last year, we launched Android 6.0 Marshmallow, introducing a variety of new security protections and controls:

Full disk encryption is now a requirement for all new Marshmallow devices with adequate hardware capabilities and is also extended to allow encryption of data on SD cards.
Updated app permissions enable you to manage the data they share with specific apps with more granularity and precision.
New verified boot ensures your phone is healthy from the bootloader all the way up to the operating system.
Android security patch level enables you to check and make sure your device has the most recent security updates.
And much more, including support for fingerprint scanners, and SELinux enhancements.

Deeper engagement with the Android ecosystem

We’re working to foster Android security research and making investments to strengthen protections across the ecosystem now and in the long run.
In June, Android joined Google’s Vulnerability Rewards Program, which pays security researchers when they find and report bugs to us. We fixed over 100 vulnerabilities reported this way and paid researchers more than $200,000 for their findings.
In August, we launched our monthly public security update program to the Android Open Source Project, as well as a security update lifecycle for Nexus devices. We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs. Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices. Despite this progress, many Android devices are still not receiving monthly updates—we are increasing our efforts to help partners update more devices in a timely manner.

Greater transparency, well-informed discussions about security, and ongoing innovation will help keep users safe. We'll continue our ongoing efforts to improve Android’s protections, and we look forward to engaging with the ecosystem and security community in 2016 and beyond.