Android Security 2015 Annual Report

(Cross-posted on the Google Security Blog.)

Editor's note: For more details on our Android security efforts and results and what this level of security offers for the workplace, please sign-up to join our Hangout on Air with Adrian today at 10am PST. The session will be recorded and available to view on-demand afterwards as well.

Today, for the second year in a row, we’re releasing our Android Security Annual report. This detailed summary includes: a look at how Google services protect the Android ecosystem, an overview of new security protections introduced in 2015, and our work with Android partners and the security research community at large. The full report is here, and an overview is below.

One important goal of releasing this report is to drive an informed conversation about Android security. We hope to accomplish this by providing more information about what we are doing, and what we see happening in the ecosystem. We strongly believe that rigorous, data-driven discussion about security will help guide our efforts to make the Android ecosystem safer.

Enhancing Google's services to protect Android users

In the last year, we’ve significantly improved our machine learning and event correlation to detect potentially harmful behavior.

  • We protected users from malware and other Potentially Harmful Apps (PHAs), checking over 6 billion installed applications per day.
  • We protected users from network-based and on-device threats by scanning 400 million devices per day.
  • And we protected hundreds of millions of Chrome users on Android from unsafe websites with Safe Browsing.

We continued to make it even more difficult to get PHAs into Google Play. Last year’s enhancements reduced the probability of installing a PHA from Google Play by over 40% compared to 2014. Within Google Play, install attempts of most categories of PHAs declined including:

  • Data Collection: decreased over 40% to 0.08% of installs
  • Spyware: decreased 60% to 0.02% of installs
  • Hostile Downloader: decreased 50% to 0.01% of installs

Overall, PHAs were installed on fewer than 0.15% of devices that only get apps from Google Play. About 0.5% of devices that install apps from both Play and other sources had a PHA installed during 2015, similar to the data in last year’s report.

It’s critical that we also protect users that install apps from sources other than Google Play. Our Verify Apps service protects these users and we improved the effectiveness of the PHA warnings provided by Verify Apps by over 50%. In 2015, we saw an increase in the number of PHA install attempts outside of Google Play, and we disrupted several coordinated efforts to install PHAs onto user devices from outside of Google Play.

New security features in the Android platform

Last year, we launched Android 6.0 Marshmallow, introducing a variety of new security protections and controls:

  • Full disk encryption is now a requirement for all new Marshmallow devices with adequate hardware capabilities and is also extended to allow encryption of data on SD cards.
  • Updated app permissions enable you to manage the data they share with specific apps with more granularity and precision.
  • New verified boot ensures your phone is healthy from the bootloader all the way up to the operating system.
  • Android security patch level enables you to check and make sure your device has the most recent security updates.
  • And much more, including support for fingerprint scanners, and SELinux enhancements.
  • Deeper engagement with the Android ecosystem

We’re working to foster Android security research and making investments to strengthen protections across the ecosystem now and in the long run.

In June, Android joined Google’s Vulnerability Rewards Program, which pays security researchers when they find and report bugs to us. We fixed over 100 vulnerabilities reported this way and paid researchers more than $200,000 for their findings.

In August, we launched our monthly public security update program to the Android Open Source Project, as well as a security update lifecycle for Nexus devices. We intend the update lifecycle for Nexus devices to be a model for all Android manufacturers going forward and have been actively working with ecosystem partners to facilitate similar programs. Since then, manufacturers have provided monthly security updates for hundreds of unique Android device models and hundreds of millions of users have installed monthly security updates to their devices. Despite this progress, many Android devices are still not receiving monthly updates—we are increasing our efforts to help partners update more devices in a timely manner.

Greater transparency, well-informed discussions about security, and ongoing innovation will help keep users safe. We'll continue our ongoing efforts to improve Android’s protections, and we look forward to engaging with the ecosystem and security community in 2016 and beyond.