Over 60% of Android apps have security vulnerabilities

Ruth C. | July 20, 2021

When a developer leaves a mistake in application code, it can create a security vulnerability that criminals may exploit. 

According to the data presented by the Atlas VPN team, 63% of Android applications had known security vulnerabilities in Q1 2021, with an average of 39 vulnerabilities per app. Gaming and financial apps were found to be the most ridden with vulnerabilities.

The figures are based on the Peril in a Pandemic: The State of Mobile Application Security report by the Synopsys Cybersecurity Research Center (CyRC). CyRC analyzed the security of open-source software components of 3,335 free and paid mobile applications on the Google Play store as of Q1 2021. The applications span across 18 of the most popular app categories in the pandemic. Overall, 98% of the apps contain open-source components.

Gaming apps had the most vulnerabilities out of all Android app categories. A whopping 96% of top free games apps were found to contain vulnerable components. Additionally, 94% of top-grossing games apps and 80% of top paid games apps also had vulnerabilities.

Next up were financial apps. Despite the fact that financial apps require some of the most personally sensitive data, vulnerabilities were discovered in 88% of banking apps, 84% of budgeting apps, and 80% of payment apps.

Top-grossing apps and top free apps both had significant vulnerability levels while being lower than the general average of 63%.  In total, 61% of top-grossing apps had vulnerabilities, while the same is true for 59% of top free apps.

Vulnerable components were also found in more than half of productivity apps (58%), educational apps (57%), tools for teachers (56%), and entertainment apps (55%).

All in all, 3,137 unique vulnerabilities were found in Q1 2021 that appeared more than 82,000 times across Android apps. A total of 73% of vulnerabilities had been first disclosed more than two years ago. However, they were still present in Android apps in the first quarter of this year. 

Educational apps have the most high-level vulnerabilities

Not all vulnerabilities are equal. While some may just be minor issues that do not pose any active threat to the user, other vulnerabilities can cause serious repercussions. Let’s delve deeper into the different types of Android security vulnerabilities registered since 2018. 

Educational apps had the highest number of exploitable Android vulnerabilities with possible fixes as of the first quarter of 2021— 43%. Meanwhile, productivity and banking apps occupied the second and third spots in the list. They contained 41% and 39% of such vulnerabilities, respectively.

Apps in the top games category had the biggest number of exploitable Android vulnerabilities with no available fixes — 6%. Not far behind were budgeting and banking apps. Each of the app categories contained 5% of such vulnerabilities.

Overall, 44% of the Android app vulnerabilities were classified as high-risk, meaning they represented a tangible threat. Out of the high-risk vulnerabilities, 1% were Remote Code Execution. This type of vulnerability enables an attacker to execute any code of their choice with system-level privileges on a server that has the issue.

While 94% of vulnerabilities were found to have publicly documented fixes, the remaining 6% had no known solution.

As the majority of companies continue to use open-source components to build mobile apps, the security issues in these components can no longer be ignored. Given that the Google Play store applications have been downloaded millions of times, it is safe to say they pose significant security risks to Android users.

Check out other Atlas VPN articles on software vulnerabilities:

In 2020 number of vulnerabilities in Microsoft products exceeded 1,000 for the first time

Ruth C.

Ruth C.

Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.

Tags:

Androidsoftware vulnerabilitiesopen-source software

© 2021 Atlas VPN. All rights reserved.