Research Analysis and Guidance: Ensuring Android Security Update Adoption

Microsoft researchers analyzed anonymized and aggregated security patch level data from millions of Android devices enrolled with Microsoft Intune to better understand Android security update availability and adoption across Android device models. In this post, we describe our analysis, and we provide guidance to users and enterprises to keep their devices up to date against discovered vulnerabilities.

 

Mobile devices are today’s most prevalent end-user computing platform, and their unique attributes (portability, ubiquitous network connectivity, frequent physical proximity to their owner, sensors such as microphone, camera, GPS) make them valuable targets. Threat actors use mobile devices as attack vectors to pivot into access to enterprise systems and resources. Microsoft brings its expertise, visibility, and resources to provide end-to-end threat protection, including to the broad range of endpoint platforms.

 

Android security patch lifecycle concerns are often raised in mobile security discussions. Android is an extensible platform with a diversity of devices from many original equipment manufacturers (OEMs), bringing security update complexities. Just as with any popular endpoint platform, security vulnerabilities are discovered in Android. If devices are not patched, these vulnerabilities can potentially be exploited. Others in the security community have previously examined Android security update adoption, and in this post, we contribute to this important discussion by analyzing data from Intune-enrolled Android devices.

 

Overall, we conclude that security updates for popular Android device models are typically made available and installed in a timely manner. Based on our analysis, we recommend these best practices for ensuring that Android devices are kept up to date with the latest security updates:

• When users and enterprises are choosing makes and models of Android devices to purchase, we recommend ensuring that the OEM has committed to provide security updates on a timely basis until a defined End-of-Life date. Several examples for informational purposes without endorsement:
  • Surface Lifecycle for Android-based devices - Surface Duo | Microsoft Learn
  • Learn when you'll get software updates on Google Pixel phones - Pixel Phone Help
  • Security Updates Scope | Samsung Mobile Security
• Enterprises should consider blocking or limiting access (for example, using Conditional Access) from devices, both personal-owned and enterprise-owned, when the security patch level is out-of-date by a defined time or longer. Intune provides the ability to define a minimum security patch level compliance policy.
• Available security updates should be installed as quickly as feasible. Users or enterprises that delay updates should carefully consider the risks of leaving devices susceptible to exploitation by publicly known vulnerabilities. Intune allows you to minimize disruption caused by update rollouts in your organization, through device restrictions policies or additional update management controls for supported OEMs.
• Users and enterprises should replace devices that are End-of-Life or are otherwise known to no longer be receiving security updates.

Highlights of our analysis:

• The majority of the top 100 (by Intune enrollment) device models had security updates made available during the month of Google's Android security bulletin release or the following month.
• The majority of these Intune-enrolled devices had the updates installed during the same or following month that they became available from the OEM. However, for some device models, despite a recent update appearing to be available, many devices had not been recently updated.
• Device models for which the OEM had strongly committed to ensuring security updates (e.g., by participating in Google's Android Enterprise Recommended device program) were more likely to have the most recent Android security updates available & installed.

 

Vulnerability Management

As organizations increasingly rely on mobile devices, the importance of robust vulnerability management for these endpoints cannot be overstated. This is where Microsoft Defender Vulnerability Management Mobile support comes into play. Its comprehensive risk-based vulnerability management across an enterprise's assets alerts administrators to security posture issues, including those on mobile endpoints. Providing severity and exploit availability information enables informed risk decisions, thereby helping to prevent mobile devices—such as those running Android—from becoming attack vectors. In this blog, we take an in-depth look at Android security update availability and adoption.

 

Mobile device exploitation through device vulnerabilities is not just theoretical. Google’s Threat Analysis Group in February published a detailed report with numerous examples of Android and iOS device exploitation. Microsoft has investigated mobile malware samples such as KingsPawn, which targeted iOS and had indications of Android being targeted by the author as well. CISA’s Known Exploited Vulnerabilities (KEV) catalog includes Android vulnerabilities. Security updates are necessary to address vulnerabilities and prevent their exploitation.

 

Understanding The Android Security Update Lifecycle

Stakeholders involved in bringing Android devices to market and distributing updates may include Google, original equipment manufacturers (OEMs), and mobile carriers.

 

Although the base Android operating system is open source and anyone can build upon it, Google provides proprietary Google Mobile Services (GMS) components, such as the Google Play Store, for officially licensed Android devices.

 

Google has been releasing security bulletins and monthly security patches since at least 2015. The security bulletins describe the set of vulnerabilities that have been fixed not just within Android itself but may also include Linux kernel patches and patches from component manufacturers.

 

Each Android security bulletin released by Google contains a list of security vulnerabilities along with one or more security patch level dates. Device users and administrators can check the security patch level on their devices, which is an assertion by the OEM that the device has been patched against all corresponding vulnerabilities in the bulletins through that date. Microsoft Defender Vulnerability Management can help administrators understand known vulnerabilities that their unpatched devices may be susceptible to.

 

Each OEM must create device-specific builds using Google’s updates, which can introduce delays, despite OEMs receiving advance notice from Google before security bulletins are made public. In some cases, the OEM may no longer be supporting the device, and updates may not be forthcoming at all. Transparency into these practices may vary widely between OEMs, but these practices are critical for users and administrators to understand to make appropriate risk decisions.

 

OEMs and mobile carriers may add additional code to their devices, and vulnerabilities in this code may not be reflected in Google’s Android security bulletins. Users and administrators can consult the vendors for more information.

 

Over the last few years, Google has improved its ability to update some components of Android devices, even in cases where an OS update has not been installed (and hence the Android security patch level has not been updated). These updates provide some degree of protection, depending on the specifics of the vulnerabilities.

 

Analyzing Security Update Adoption Using Microsoft Intune Data

Microsoft Intune is used by enterprises to manage millions of devices, both personally owned and enterprise owned. By analyzing enrollment data in aggregate, without use of any user or enterprise unique identifiers, we can make statistically meaningful conclusions of security update adoption across manufacturers and models while maintaining Microsoft’s privacy commitments to our customers.

 

For each Android device in Google's supported device model list enrolled in Intune that checked in during a one-week period in January 2024, we gathered the reported OEM, model, OS version, and Android security patch level. We similarly gathered the model and OS version of all enrolled iOS/iPadOS devices for comparison. Our overall findings were validated by sampling data across several previous months.

 

There are several caveats to be aware of in our data analysis:

• Intune enrolled devices do not represent the overall Android device population.
• The Android security patch level may not account for OEM/carrier-specific vulnerabilities.
• Android’s device diversity means that not all devices are susceptible to all vulnerabilities.
• We did not check if individual devices are running unofficial firmware images, which could potentially provide incorrect version and patch level information.

We analyzed the data in several ways:

• Latest Android Security Patch Level and median Android Security Patch Level across the top 100 (by Intune enrollment) device models – this gives an estimation of the most recent available update, as well as the rate of adoption of updates for the most popular devices.
• Patch level comparison between “knowledge worker” and “rugged” Android Enterprise Recommended devices (AER) and enrolled Android devices overall. The AER program requires devices to “meet an elevated set of specifications" for security updates.
• iOS/iPadOS version adoption for comparison.

 

Android Security Patch Levels of Top Devices

For each unique Play Protect certified device model, we examined both the latest patch level (the most recent patch level reported by devices, with outlying patch levels reported by three or fewer devices excluded) and the median patch level, normalizing each patch level date to the first day of the month. The results highlight the importance of ensuring that device OEMs provide a documented commitment to security updates, and that users and enterprises stop using devices that are beyond the advertised security update support period.

 

We calculated the age of the patch levels by subtracting the patch level date from the first day of the current month (e.g., a patch issued during the current month would have an age of zero). Using this data, we can determine (assuming we have a large enough device population of that manufacturer/model enrolled in Intune) both when a security update was last issued for a particular manufacturer/model, and how widely the security update has been adopted.

 

In the figures below, we consider the 100 most popular Android device models enrolled in Intune. The top 100 models reflected 44% of the total number of Play Protect certified Android devices enrolled in Intune. Our data supports that most popular Android devices release security updates in a timely manner:

• 61 of the 100 models have a security update available with a patch level of one month ago or less.
• 81 of the 100 models have a security update available with a patch level of three months ago or less.

 

 

Some models have an age of zero for the latest patch level, meaning that there is a security update available from the current month. Some models have an age of -1, meaning some devices are running a security update dated next month (possibly an upcoming release being tested).

 

We examined in further detail the five device models in the top 100 where the latest observed patch level was at least 10 months old. For each device model, we searched online for any security update commitment made by the OEM:

• For three of the device models (Device Models 9, 24, and 68), the OEM promised four years of security updates after release, and they met that commitment - the devices had been released over four years ago.
• For the other two devices (Device Models 46 and 100), the newest updates we could find were 33 and 31 months respectively after the initial device releases (43 and 53 months ago). We could not find any documented OEM update commitment for those two devices.

Across the 100 device models, the adoption of updates (the median patch level) varies widely. This discrepancy can be seen on the graph as the difference between the orange bars (median patch level) and their corresponding blue bars (latest patch level):

• 32 device models have a difference of two months or more.
• Six of those device models have a difference of 10 months or more.

 

At least three of the device models with a difference of 10 months or more are non-consumer models intended for use in commercial environments. We speculate that large differences between median and latest patch level are business-critical environments where update deployment is carefully controlled. Other reasons could include use in environments with unstable Internet connections and cases where mobile carriers manage the update but have not yet published it.

 

Android Enterprise Recommended (AER) Device Models

Google’s Android Enterprise Recommended (AER) program provides a list of devices that according to Google meet “an elevated set of specifications” for security updates and other properties. Originally, “[d]elivery of Android security updates within 90 days of release from Google, for a minimum of three years” was required, but the requirements have since changed. The AER device list is divided into two categories: “knowledge worker” and “rugged.”

 

Each AER device entry states an advertised End-of-Life (EoL) date that the vendor intends to provide updates until. In the most recent requirements (Android 12), knowledge worker device OEMs “must publish security update information on their websites” including an EoL date for updates, with no requirement to deliver updates in a specific timeframe and no specific EoL length requirement. Rugged device OEMs must support “90-day security updates” and the same EoL requirements as knowledge worker devices.

 

We analyzed the latest and median patch levels for the top 50 (by Intune enrollment) non-EoL knowledge worker and the top 25 non-EoL rugged device models.

 

AER Knowledge Worker Device Models

We analyzed the top 50 (by Intune enrollment) AER Knowledge Worker device models (representing 77% of the AER Knowledge Worker devices enrolled in Intune), finding that recent security updates were available for all. We identified a security update with a patch level of one month or newer available for 48 device models, and a security update with a patch level of two months ago for the remaining two device models. 

 

Examining the difference between the median and latest patch levels for each model, we observed that for 47 out of 50 device models, the median device had updates applied within two months of release.

 

Beyond the top 50, we analyzed all 296 device models that had at least 1000 devices enrolled in Intune. For 290 of those device models, we identified a security update three months old or less, with the majority of device models (177) having a security update dated within the past month.

 

For the remaining 6 device models, we verified on either the OEM or mobile carrier websites that there did not appear to be recent security updates available, even though the device AER entries indicated they should still be supported with updates. Overall, device models on the AER list have good security update availability but some caution may still be appropriate.

 

AER Rugged Device Models

Our analysis shows much greater variation in both security update availability and security update deployment for the AER rugged device models. We included only the 25 AER rugged device models that have 1000 or more devices enrolled in Intune.

 

The variability may be due to the use of these device models in business-critical environments where the OEM may impose more requirements before publishing updates, and the device owner may impose requirements before deploying updates. Enterprises should take care to obtain assurances of security update availability and should carefully weigh the risks of delaying update deployments.

 

Comparing Android and iOS Update Adoption

In the below plots, we compare update adoption by showing across months the cumulative number of Intune-enrolled devices running an Android security patch level from that month, or for Apple mobile devices, an iOS/iPadOS version released during that month. We show all Play Protect-certified Android devices, all AER Knowledge Worker devices, and all iOS/iPadOS devices.

 

The data shows the rapid adoption of new versions of iOS/iPadOS versus Android overall, but it also shows that the gap is significantly narrowed for AER knowledge worker devices.

 

Conclusion

Our data shows that while security update availability and adoption vary, most popular Android device models have good security update practices. With proper precautions and care taken by users and enterprises when choosing devices to use, Android devices can likely be relied upon to have security updates available in a timely manner to provide protection from known vulnerabilities. Enterprises should consider enforcing minimum Android security patch levels for devices to access enterprise resources, with an understanding that this will exclude some device models.

 

Apurva Kumar and Michael Peck

Microsoft Threat Intelligence Community