Cambridge study finds 85 per cent of Android devices are insecure

New test gives top marks to Google's own Nexus range, which receives Android updates and patches before the rest of the market

Around 85 per cent of Android devices are, or have been, susceptible to 13 critical vulnerabilities, researchers at the University of Cambridge have discovered.

The research has shown that variability between version rollouts of Android among manufacturers is even worse than many had feared, with many devices remaining vulnerable to everyday exploits for months or even years as manufacturers or phone carriers fail to send out patches and fixes early enough - or even at all.

The team of three researchers at Cambridge have come up with a scorecard system for Android devices, which they are calling the FUM score. This is calculated per manufacturer, by comparing the proportion of devices free (F) from critical vulnerabilities, against the proportion updated (U) to the most recent available versions of Android, as well as number of vulnerabilities the manufacturer (M) has not yet fixed.

So far, and rather unsurprisingly, Google itself is winning out with the Nexus series, which sit at a FUM score of 5.2. Google is well-known for rolling out the newest Android builds and patches to its flagship devices.

Outside in the wider market, LG has been awarded a FUM score of 4.0, Motorola 3.1 and Samsung only 2.7. HTC has only 2.5, while less known firms like Alps (0.7) and Walton (0.3) show real room for improvement.

Rather than scanning for actual vulnerabilities, the researchers' test, which uses basic application Device Analyzer, freely available on Google Play, simply scans a device for other information about its software and how it is used, taking the Android version and build number and matching them against known vulnerabilities that affect them.

"We can use the build number to work out when the particular build of Android was produced (by recording when we first observed that build number) and hence detect backports that might have fixed vulnerabilities," researcher Daniel Thomas told Threatpost.

Android devices receive on average only 1.26 updates a year, leading to the conclusion that 85 per cent of live devices in the world are insecure.