Android has 1639 CVE vulnerabilities, and 496 of these apply to 7.x or later.
Regardless both Apple and Google need to protect their OS.
Back to Google. Its 55-page Android Security Report 2017 published March 2018 is interesting, if a little dry, reading.
One of the most telling statements is that like Apple’s iOS; Android has expanded into wearables, TVs, set-top-boxes, Internet of Things, cars and so much more. The two billion devices now pall in comparison with the explosion of Android devices over the next few years.
Later Android versions have reporting that enables Google to identify potentially harmful applications (PHA) and where they are coming from.
Exploit pricing is up
Google says ‘exploit pricing’ – what cybercriminals pay to access vulnerability exploit kits on the dark web – is correlated to attacker’s cost.
Pricing includes time, people, expertise, product knowledge, product accessibility, specialised equipment, and money to develop an exploit. Growth in exploit pricing and difficulty demonstrates that Android has achieved a strength of protection that now leads the industry.
It is a group effort
While Apple has complete control of its devices and ecosystem, Android is open. There are more than 60,000 different device models currently in use.
In 2017 Google Play Protect reviewed about 23 million new apps, up 65% from 2016.
Google says protection is a joint responsibility. It has collaborated closely with device manufacturers, system on a chip (SoC) vendors, telecom carriers, researchers and academics to strengthen the security chain.
As a comparison, Intel has been affected by Spectre and Meltdown vulnerabilities in many of its x68 CPUs. But Intel alone cannot fix it as Windows is also an open system. Patches must be rolled out by thousands of motherboard makers, system assemblers and more.
Google Play is nine times safer
Apps downloaded from Google Play are nine times less likely to have a PHA than download apps from other sources.
Google Play Protect on later Android versions is the most widely deployed mobile threat protection service in the world. This does not rely on manufacturers or carriers over-the-air (OTA) firmware updates. It allows Google to roll out security updates independent of hardware/firmware updates.
All devices with Google Play Protect have a set of endpoint and mobile threat protection services that protect against common threats, including network attacks, app exploits, potentially harmful applications (PHAs), and physical attacks, such as device theft.
Platform security now baked in
In 2017, Google expanded platform-level security in 7.x Oreo by making devices easier to update via Project Treble. This gave apps a way to verify Android devices, reducing privilege, and mitigating sophisticated attacking techniques. The result was that more than 30% of Android devices received OTA security updates.