Despite the size and complexity of the Android ecosystem, actual user devices escaped any attempts to exploit the StageFright and Certifigate vulnerabilities discovered in 2015, according to Google's new Android Security Year in Review.
Improvements Google has made to its official Google Play app store, as well as to the Verify Apps service that warns users about Potentially Harmful Applications (PHAs) when they download them from outside Google Play, appear to be paying off.
After Google added a red icon and exclamation mark to its Verify Apps warning dialog, 50% fewer users voluntarily installed PHAs. Google also added a new capability to Verify Apps, so that it can in very exceptional occasions remove applications that register as device administrators, as was the case when the Android team decided to take action to protect users against a Russian banking fraud scheme.
Nevertheless, it is inside Google Play where Android users are safest. Devices that allow apps downloaded from outside Google Play are 10 times more likely to have PHAs on them than those that do not. PHAs were found on less than 0.15% of devices that only get apps from Google Play; 0.5% of devices that get apps from Play and other sources.
Although installation attempts by PHAs outside of Google Play increased, installation attempts within Play decreased by over 40%. The biggest increase in attempts was by hostile downloaders, from 0.06- to 2.60% of installation attempts.
The spike in hostile downloaders was almost entirely due to a family of Trojan downloaders called Ghost Push, which boasted over 40,000 apps.
During a seven-week period in the summer of 2015, Ghost Push installation attempts contributed up to 30% of all attempts worldwide -- equalling 3.5 billion attempts in all. Upon further investigation, the Google Android team tracked back many of the attempts to an over-the-air update provider for device manufacturers and carriers in the Southeast Asia region. The OTA update provider also provides a remote application installation service, and apps in the Ghost Push family were among those the company was attempting to install.
The number of affected devices was far lower than the number of attempts, since an unsuccessful attempt might be repeated hundreds of times; Google researchers estimate that there were only about 4 million affected devices, and their clean-up efforts working with the OTA provider reduced the impact by about 90%.
Google also reported that ransomware is "almost exclusively" distributed outside of Google Play, and only accounting for less than .01% of total app installs, mostly targeting Russian-speaking users via porn apps or fake media players.
Through its bug bounty program, the Google Vulnerability Rewards Program, Google paid $210,161 for Android vulnerabilities, including 30 critical and 34 high-impact.