Android – Swiss cheese Pt II.

Reply to this post

More malware further underpins a proprietary future. 

• More Android based malware has come to light where 10m infected devices could be generating fraudulent revenues of $3.6m per year.
• This brings the Android security problem into sharp focus once again further underpinning my long held opinion that the chaos that is Android is likely to become a series of tightly controlled proprietary systems.
• This latest malware is known as HummingBad and installs itself as a rootkit and then downloads many fraudulent apps which are then used to generate advertising revenue.
• All versions of Android are susceptible to this malware and there are an estimated 188,000 devices in North America implying that it is not just the unofficial versions of Android that are susceptible.
• This sort of occurrence is not abnormal but typically what happens is a rapid response from the platform owner and the issue is resolved within a week or two.
• Unfortunately, any security problem that requires a major update to the Android Open Source Package (AOSP) is virtually unfixable meaning that the issue will persist indefinitely.
• There are two issues that cause this problem.
  • First: Most Android devices are not updatable.
  • Android is a commoditised, brutally competitive market meaning that in the mid-range every cent of cost matters.
  • Making a device updateable means that extra resources have to be added to the device which are never reflected in the price.
  • Consequently, the vast majority of Android devices are not updateable to later versions of Android as there is no incentive for the device maker to add this capability.
  • Second: Google has no control over the update process for any of the devices that run its services.
  • It can update Google Mobile Services (GMS) from Google Play but lower level system updates (Android) are controlled by either the maker of the device or the mobile operator.
  • The two exceptions are Xiaomi and Cyanogen both of whom have retained the ability to update devices running their software.
  • This is provided that the devices themselves are updateable as per the first issue above.
• This is just another reason why usage of Android devices is likely to continue trailing that of iOS and why these devices are likely to yield a much lower return for the ecosystems that run upon them.
• For example RFM estimates that Google can earn $31.6 per user per year from an iOS device whereas its own Android devices can only generate $14.0 per user per year on average.
• Part of this is due to the differences in demographics between the two ecosystems but I am certain that most of it is due to the fact that Android devices are more difficult to use, less secure and as a result, generate much less traffic.
• I think that this lower usage also drives lower loyalty meaning that Android users are willing to try something else.
• Fortunately for Android, there is nothing else at the moment but that does not mean that this will be the case forever.
• This is why I see Google, Alibaba, Tencent, Xiaomi, Cyanogen and others all taking their versions of Android fully proprietary as then they will be able to control fragmentation, update the devices when needed as well as fix security flaws.
• I think that this will begin in earnest in 2017 with Google leading the way as Oracle has given it the perfect excuse to do so (see here).
• Failure to fix this problem is likely to hurt Android revenues in the long term leading to Google’s shares looking even more overvalued.
• I continue to prefer Baidu, Microsoft and Samsung to Google in the immediate term.