Google already fixed at least one of the Android exploits used by 'Agent Smith,' nicknamed Janus, in 2017 – but the fix hasn't made its way onto every Android phone. It's a potent reminder that millions of phones around the world are being used without the latest security measures.
"The sheer numbers infected by this campaign shows how many devices are not updated," Hazum said. "It takes quite a lot of time for an update to reach every phone."
A big part of the problem is how fragmented the Android ecosystem is, especially compared to the iPhone ecosystem, Childs said.
"Google is very good about releasing fixes for the vulnerabilities they know about, but getting it to all the devices is a very difficult problem."
Whenever Google issues a new security fix, or "patch," every device maker – such as Samsung or LG – has make sure all their own apps still work with the new system, which can take time. Manufacturers usually stop offering security updates to phone models after a few years, or even a few months, a significant problem given how long people tend to keep smartphones.
If manufacturers push out an update for the device, all the carriers – such as Verizon and AT&T – then have to authorize the update.
The final step, of course, is getting people to actually update their phones.
"People see they have an update and know it will take their phone 30 minutes to download it, apply it, and restart the device," Hazum said. "A lot of people ignore it."
Whether or not users have updated security on their phones, one of the biggest risks to Android devices comes from third-party app stores, which aren't well-vetted, said Daniel Thomas, a research associate and lecturer at University of Cambridge.
Thomas was part of a research team that found 87% of Android devices in 2015 were using out-of-date versions of the operating system. The team's Android Vulnerabilities program distributes data about historical and current risks for the devices.
But iPhone users shouldn't get comfortable. Even though the Apple ecosystem is more controlled than Android, hackers have found plenty of ways to exploit devices using iOS – not to mention Apple is set to stop offering security updates to many iPhone models that are still widely used.
"In any large body of code, there will always be vulnerabilities we haven't found yet," Thomas said.
(c)2019 The Mercury News (San Jose, Calif.)
Visit The Mercury News (San Jose, Calif.) at www.mercurynews.com
Distributed by Tribune Content Agency, LLC.