Two Android security problems have hit the news over the last few days. The first is a problem with java.io.ObjectInputStream on ALL devices prior to Lollipop. It’s not a problem in itself in that the user needs to somehow accidentally install a malicious app. The second is one such app, NotCompatible, that has been around a long time but has recently made the news due to some posts on popular sites.
The thing is, the user has to actually say yes to downloading and installing an app when they are web browsing. A bigger question is why Android’s anti-malware tool, Bouncer, hasn’t detected this side-loaded app. I suspect it has. Bouncer has only worked on side-loaded apps since Android 4.2 and I suspect the majority of infected devices use earlier versions of Android.
The best defence is probably to only use devices running Lollipop. As I have previously observed, in some ways it’s odd that one of Android’s failings, that of slow or non-existent OEM OS upgrades, might cause more people to buy a new device to be on a more secure Android version, which, in turn, will reduce OS fragmentation to the benefit of the platform.