Early Results from X-Ray: Over 50% of Android Devices are Vulnerable

Later this week, on Friday, I’ll be presenting the preliminary results from our X-Ray project at Rapid7’s United Summit conference in San Francisco.

X-Ray is Duo’s mobile app that performs “vulnerability assessment” on Android devices. Instead of scanning for malicious apps installed on the device like a mobile antivirus app would do (a nearly-intractable problem), X-Ray can identify known, yet unpatched, vulnerabilities in the mobile platform itself that could be exploited to take full control of users' phones. As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users' mobile devices often remain vulnerable for months and even years.

We publicly launched X-Ray just a couple months ago so that average users can scan their own Android devices to see if they have unpatched vulnerabilities that may put them at risk. While it’s well-known in the security community that slow patching of vulnerabilities on mobile devices is a serious issue, we wanted to bring greater visibility to the problem.

Since we launched X-Ray, we’ve already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary.

Yes, it’s a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far. We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.

Slides are now available here.