Skip navigation

Early Results from X-Ray: Over 50% of Android Devices are Vulnerable

Later this week, on Friday, I'll be presenting the preliminary results from our X-Ray project at Rapid7's United Summit conference in San Francisco.

X-Ray is Duo's mobile app that performs "vulnerability assessment" on Android devices. Instead of scanning for malicious apps installed on the device like a mobile antivirus app would do (a nearly-intractable problem), X-Ray can identify known, yet unpatched, vulnerabilities in the mobile platform itself that could be exploited to take full control of users' phones. As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users' mobile devices often remain vulnerable for months and even years.

We publicly launched X-Ray just a couple months ago so that average users can scan their own Android devices to see if they have unpatched vulnerabilities that may put them at risk. While it's well-known in the security community that slow patching of vulnerabilities on mobile devices is a serious issue, we wanted to bring greater visibility to the problem.

Since we launched X-Ray, we've already collected results from over 20,000 Android devices worldwide. Based on these initial results, we estimate that over half of Android devices worldwide have unpatched vulnerabilities that could be exploited by a malicious app or adversary.

Yes, it's a scary number, but it exemplifies how important expedient patching is to mobile security and how poorly the industry (carriers, device manufacturers, etc) has performed thus far. We feel this is actually a fairly conservative estimate based on our preliminary results, the current set of vulnerabilities detected by X-Ray, and the current distribution of Android versions globally.

If you're out in the San Francisco area, it's not too late to register for United Summit (use 12UNITEDSP for a $300 registration discount) and come hear the talk on Friday morning. For the rest of you, we'll be following up with a blog post next week detailing the full results, statistical methodology, and what we have in store for X-Ray in the future. Stay tuned!

Jon Oberheide

Co-Founder and CTO

@jonoberheide

Jon is the co-founder and CTO of Duo Security, responsible for leading product vision and the Duo Labs advanced research team. Before starting Duo, Jon was a self-loathing academic, completing his PhD at the University of Michigan in the realm of cloud security. In a prior life, Jon enjoyed offensive security research and generally hacking the planet. Jon was recently named to Forbes "30 under 30" list for his mobile security hijinks.