![](\"https:\/\/media.wired.com\/photos\/59a8508dfb5fbc7d7601e4df\/master\/pass\/android_oreo-01-FA.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Lily Hay Newman| Date: Fri, 01 Sep 2017 16:40:12 +0000<\/strong><\/p>\n Android's recently released Oreo update<\/a> packs in plenty of features, including a battery life boost and a notifications rethink. But Oreo's most important improvements will happen behind the scenes, with a host of security updates designed to evolve with ever-expanding digital threats. From halting ransomware to blocking malicious apps and easing Android's longstanding fragmentation woes, Oreo tackles some big problems. For the security developers who work behind the scenes, though, it's just one more step on a journey that never really ends.<\/p>\n With over two billion monthly active devices, the majority of them not on the latest\u2014or even recent\u2014version, Android presents a popular target for hackers. Stopping them takes more than a yearly release. It takes the kind of longview, holistic effort that Google has employed for years.<\/p>\n "It\u2019s funny how much the world focuses on the launch of a specific product. In the security world that approach doesn\u2019t really work," says Adrian Ludwig, the director of Android Security. "Sometimes a change we made three years ago becomes relevant this year, or a change we\u2019re making now becomes relevant four years from now. It\u2019s iterative, we make changes with every release. Visibility and quick response go hand in hand with the ability to make longer-term changes and bake them into the platform."<\/p>\n Android Security's long view may be an asset, but the group doesn't waste the chance to capitalize on the more tangible benefits of Android's marketshare and Google's reach. Virtually all the new defense features in Android Oreo stem from or were informed by analysis to spot trends in threat data, Google Play activity, and user behavior.<\/p>\n \u201cThere hasn\u2019t been a huge widespread bug that affects every single version of Android recently, but there are still a lot of critical vulnerabilities that are affecting the core Android framework and platform,\u201d says Andrew Blaich, a security researcher who specializes in Android at the mobile security firm Lookout. \u201cBut with the Oreo security updates they\u2019re at least minimizing the impact because there is an update mechanism in place. And Google is able to react quicker to a lot of [security incidents] now, which is a good thing.\u201d<\/p>\n Just how much more secure will Oreo make your phone? That depends in part on if and when you'll get the update. But assuming you do, it's quite a haul.<\/p>\n Take Google Play Protect, part of Android Security\u2019s detection and reaction infrastructure, which scans devices for suspicious app activity. With 50 billion apps scanned per day, precision counts.<\/p>\n The app scanning that goes into Play Protect has existed behind the scenes under other names for years, but Android Security surfaced the mechanism for customers this year and, and has used it to do a new type of visibility research. Android data scientist Megan Ruthven and others have developed techniques for detecting distribution of extremely targeted malware, the type that might be narrowly distributed to high-value marks. So far, Ruthven's research has turned up 3,000 unique samples of malware, each with an average of just 130 users affected. This ability to detect such a faint signal helps protect each individual user, while also allowing Android Security to spot nascent threats early. "Google Play Protect has such a high penetration rate over all Android devices that we are able to find these specific, targeted spywares," Ruthven says.<\/p>\n Android\u2019s scanners don\u2019t catch everything, though, and researchers still regularly find malicious software that has made it past Google\u2019s protections to land in the Play Store. In August alone, third-party analysts discovered hundreds of compromised financial apps<\/a>, spyware<\/a>, and even apps that spread malware to build Android botnets<\/a> and power DDoS attacks.<\/p>\n Despite those recent fumbles, the dangers of downloading apps from third-party app stores<\/a> far exceed those posed by mainstream apps in Google Play. So Android Security implemented small but significant changes in Oreo, aimed at regularly reminding users about what types of apps they\u2019re downloading. For example, in previous versions of Android a user could enable downloads from outside of Google Play through a setting called \u201cUnknown Sources." Beginning with Oreo, users now receive a prompt to confirm that they want to download any \u201cUnknown Source\u201d app before doing so, as a more salient reminder to proceed with caution.<\/p>\n \u201cIt\u2019s a unique challenge to really balance this desire to provide openness and powerful capabilities to users while at the same time protecting users,\u201d says Xiaowen Xin, a product manager for Android platform security. \u201cIt\u2019s something we struggle with every day and something we work hard on every day.\u201d<\/p>\n Android Security also takes a broad view. When tracking emerging attacks, the team doesn't just rely on Android-specific data, but also surveys the general web to trace malware families and monitor malicious infrastructure. "There is a common misconception that we in Android Security look only at apps that are submitted into Google Play," says Android malware analyst Elena Kovakina. "But in reality we have a pretty robust way of getting apps from diverse sources." Google Play Protect and other detection services gather industry data, and the team even develops relationships with third-parties, like banks, that experience a diverse array of attempted cyberattacks.<\/p>\n In the case of mobile ransomware, a small but growing type of attack, Android already had some defense advantages because it silos every app into a "sandbox," rather than letting them all run together in an open environment. As a result, Android can contain malicious activity more effectively than a more open platform like Windows.<\/p>\n While tracking 30 families of Android ransomware, the team discovered versions that exploited flaws to block users from accessing their phone at the lockscreen, through visual overlays, and by encrypting some data. Oreo adds reinforcements to Android's sandboxing to plug many of these holes. The team also says that to this point it has still never seen ransomware that can render an Android device completely unusable.<\/p>\n "On Android we said from the very beginning that something where one application can destroy the entire environment around itself is just not acceptable," Ludwig says. "And then what\u2019s happened iteratively with each of the major releases is we\u2019ve found out about little areas where applications could be disruptive and we\u2019ve become better at detecting them."<\/p>\n The ongoing challenge to Android security, regardless of what new features Google introduces, remains its fragmented market. Because Android is open, equipment manufacturers and carriers often tailor it to their devices. Those deviations from stock Android can slow the update process considerably. Today, 86 percent of Android device owners use versions that are at least two years old. In contrast, because of Apple\u2019s more controlled ecosystem and update pipeline, 87 percent of iOS devices had adopted the latest release, iOS 10, by the end of July.<\/p>\n \u201cAttackers are still able to get a lot of mileage out of all those old vulnerabilities that are still there in so many devices,\u201d Lookout's Blaich says. \u201cEspecially depending on where they\u2019re attacking across the world they can get a lot of usability out of known vulnerabilities.\u201d<\/p>\n 'It\u2019s a unique challenge to really balance this desire to provide openness and powerful capabilities to users, while at the same time protecting users.' \u2014Xiaowen Xin, Android Security<\/p>\n