How dire is the state of mobile threats? We’ve been examining publicly available data from several of the biggest enterprise security vendors as well as some more neutral organizations to better understand the mobile security landscape. We previously examined how to break down the statistics and data. Then, followed that with how vendors define mobile malware, because actively harmful apps can get combined with apps that just don’t secure user data properly, but aren’t designed to harm.
Instead of doing one giant data dump, we’ve decided to break it out into several articles, with this one focusing on stats provided by Google and security vendor Lookout. All the data presented by both companies are from their own internal analysis, not surveys.
State of Android security from Google
Every year, Google releases a review of Android security; while the writing focuses on how much the search giant has improved the mobile security, you can still dig in and find useful stats. Unless otherwise specified, the mobile security data is from the Android Security 2017 Year in Review.
One worry for Android devices is security updates, but Google says that the majority of devices (spread across 200 different models from 30 manufacturers) were running a security update from the past 90 days. The only quantitative value given here was that 90% of Google Pixel 2 devices were running a security update from the past 90 days. Also, it’s interesting to note that the wording changed between the 2016 and 2017 reports. Jack looked at the 2016 report and quoted it as saying that over 78% (in the U.S.) and 73% (in Europe) of “active flagship Android devices” received a security update over the past 90 days.
So, how often do Android users encounter what Google considers a potentially harmful app (PHA)? (Here’s their definition (linked PDF).) There are a couple data points to look at [emphasis ours]:
- “In 2016, the annual probability that a user downloaded a PHA from Google Play was 0.04% and we reduced that by 50% in 2017 for an annual average of 0.02%.”
- “In 2017, on average 0.09% of devices that exclusively used Google Play had one or more PHAs installed. The first three quarters in 2018 averaged a lower PHA rate of 0.08%.”
The second quote is from Google’s November 2018 blog post introducing their Android Ecosystem Security Transparency Report. The post also revealed that from Q1 through Q3 2018, 0.82% of devices that sideloaded apps were “affected by PHA.”
Returning to the Android Security Review data, Google Play Protect’s now-daily scans led to the removal of about 39 million PHAs in 2017. Here, 0.56% of all Android devices scanned were discovered to have installed at least one PHA.
While the likelihood of downloading a PHA when using Google Play is low, the percentages are higher for those coming into contact with apps outside of the walled garden. In 2017, the PHA “installation attempt rate” was 4.7%. Google says Play Protect prevented 74% of those installation attempts. Of the PHAs outside Google Play, 27.2% are Trojans, which is quite a drop from 87.3% of PHAs just the year prior.
Unfortunately, the year in review whitepaper doesn’t examine network-based attacks or phishing attacks through SMS and other avenues. However, Google says that phishing as part of PHA had a 0.001% install rate for all devices.
Mobile security according to Lookout
While Google’s data is limited to Android and all users on that OS, Lookout has a wider range of data for both consumer and enterprise and across both mobile OSes.
Lookout says that between January and September 2018 that 56% of their users (a mix of consumer and enterprise) clicked on a phishing link via their mobile device. Since 2011, there’s been an 85% growth per year at which consumers fell for mobile phishing links.
For network-based attacks over a year period, about 0.8% of enterprise devices encountered a man-in-the-middle attack. Lookout’s data includes a mixture of actual attack attempts and accidental and purposeful intercepts due to things like user-installed ad blockers or organizational content filtering.
While the above data is a combination of OSes, Lookout broke down some additional data points between Android and iOS. Between February 2016 and February 2017, 11% of enterprise iOS devices encountered a sideloaded app. For Android, since Epic Games released Fortnite outside of Google Play in August 2018, the percentage of enterprise devices with unknown sources enabled is 12.36%. Lookout told us that sideloaded app detection on Android is coming Q1 2019, so data is limited for the time being.
How often do the mobile OSes encounter app-based threats? (Incidentally, we’re fans of the term “app-based threats.”) For Android, it’s 4.7% of enterprise devices, while only 0.1% of all iOS devices do. About 20% of app-based threats are Trojans, with the remaining 80% comprise adware and other app-based threats..
One thing that remains top of mind while examining the data is that we want to know how many data breach incidents can be directly attributed to mobile devices, Unfortunately, this is apparently difficult to determine. I asked Lookout’s director of product management David Richardson about this. He said that most organizations don’t have the visibility to see how mobile impacted a breach; so, most often what they see first is attributed to the attack.
More mobile security data to come
We have several more security vendors and neutral parties’ mobile security data that we’re digging through. If you track this security data yourself, whether as a mobile threat defense vendor or other type of vendor, please reach out to us.
Dig Deeper on Enterprise mobile security
Android Security & Privacy 2018 report: Continued maturation of Google’s security efforts
What we learned about mobile security from real-world mobile threat defense customer data
Android Ecosystem Security Transparency Report is a wary first step
How does Google's new detection model find bad Android apps?