Skip to content

The Android OS Fragmentation Problem

Software bugs and flaws are inevitable. Often, they are ironed out through patches and updates that either make software work better or secure them against cybercriminal exploitation.

The diagram below shows the process Google follows to push its updates to Android™ users. Since Google relies on device manufacturers and service providers to send updates, delays occur. With these setbacks comes the Android OS fragmentation problem.

How the Android Update Process Works

Since certain Android devices are stuck with outdated versions of the OS, they lack significant features and improvements to optimally work. The fragmentation problem also makes Android devices vulnerable to exploits.

Google Dashboard™ keeps track of all OS versions on all activated Android devices. It shows that Gingerbread, the OS version with the most number of vulnerabilities, still runs on 38.5% of all Android devices worldwide.

Android Versions in Use

Cybercriminals can take advantage of vulnerable Android devices to steal stored data and use it to steal your identity and commit other crimes. This problem can also affect organizations. If their employees use vulnerable devices to access business-critical information and accounts, organizations risk losing data and compromising their security and reputation.

Upgrading to the latest Android OS version may make devices more secure but it's not a cure for all mobile threats. Since Android malware are usually designed to run on the most basic Android OS version, they can infiltrate any device running existing OSs as early as Donut. Unless the OS is radically changed, all devices running current and succeeding Android OS versions will remain vulnerable.

Distribution of Malware by Minimum Android Version

What Google Is Doing

Google is continuously taking steps to try to address this problem. Android's latest OS, Jelly Bean 4.2, comes with anti-malware capabilities. Its "Verify App" function comes up whenever the phone detects third-party apps being installed. It checks for and removes apps that exhibit malicious behavior. Jelly Bean 4.2 also notifies you if any of your installed apps is trying to send text messages to a premium service provider—the modus operandi of premium service abusers, and gives you the option to allow or deny the process. But, since only 2.3% of all activated Android devices worldwide run Jelly Bean 4.2, this measure is still not enough to protect Android users.

During the 2011 Google I/O Conference, Google announced that it was partnering with phone manufacturers to streamline its update release process. Google called this the Android Update Alliance. As of this writing, however, no word has been heard from this alliance.

In this year's Google I/O Conference, the company announced that it would roll out updates though not for the Android OS but for its main user-facing apps like Google Maps™, Gmail™, and Google Chrome™. Doing this would allow it to update the main functionality of Android devices and improve user experience without adding to the existing OS fragmentation problem. This method could also help improve device security. Unfortunately, it can't ensure that owners of devices running older OS versions like Gingerbread can enjoy the same anti-malware benefits as those with Jelly Bean 4.2 devices.

What Users Can Do

Android fragmentation is an issue that can't be resolved anytime soon but this does not mean users can't do anything about it. When purchasing an Android device, they can find out what Android OS version is loaded on it. They can note what security options are available to them. They can also opt to buy from Google's own line of Android devices. This lessens the delay in updates since Google pushes them directly to their own products.

If users already own an Android device and it's running an outdated OS, they don't have to wait on manufacturer and service provider updates to protect their devices. Installing a security app like Trend Micro™ Mobile Security for Android can effectively block exploits that target Android vulnerabilities.

Trend Micro Mobile Security Users by Android OS Version

Even if devices are running the latest Android OS version, that does not guarantee safety. We already noted that devices running Jelly Bean 4.2 are not fully protected against all malware. The majority of our Trend Micro Mobile Security for Android user base, 33.23%, still own devices running Jelly Bean. This means that even those with the most secure Android OS still feel they need additional protection.

To see the April 2013 mobile threat statistics, go to this page.

Connect with us on