Fragmentation’ leaves Android phones vulnerable to hackers, scammers

In late October, researchers at North Carolina State University alerted Google to a security flaw that could let scam artists send phony text messages to Android phones — a practice called “smishing” that can ensnare consumers in fraud. Google’s security…

In late October, researchers at North Carolina State University alerted Google to a security flaw that could let scam artists send phony text messages to Android phones — a practice called “smishing” that can ensnare consumers in fraud.

Google’s security officials replied in minutes, confirming the flaw and promising to correct it. Within days, they had incorporated a fix into the latest version of the Android operating system, Jelly Bean 4.2, and made available a security update for earlier versions.

But for most Android phones, the fix never arrived. For many, it never will.


That is because it is not clear which company — Google, the smartphone maker, or the wireless carrier that sells it — bears ultimate responsibility for the costly process of getting security updates to an Android device. Fixes to known security flaws can take many months to reach individual smartphones if they arrive at all.

Security experts say the problem has contributed to making the world’s most popular mobile operating system more vulnerable than its rivals to hackers, scam artists, and a growing universe of malicious software.

Breaches remain more common on traditional computers than on smartphones, which have been engineered to include security features not found on desktop or laptop machines, experts say Page Design Shop.

But outdated software can undermine such protections. If there was a major outbreak of malicious software, the fractured nature of the system for delivering updates could dramatically slow efforts to protect information carried on Android phones — including documents, passwords, contact lists, pictures, videos, location data, and credit card numbers.


The risks are severe for businesses and government agencies, whose increasingly popular bring-your-own-device policies have created new potential portals for espionage aimed at secure computer systems.

“You have potentially millions of Androids making their way into the workspace, accessing confidential documents,” said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. “It’s like an arid forest, and it’s just waiting for a match.”

Google engineers designed Android to resist hackers and have continually improved it. The company has also worked to purge malicious software from its app store, Google Play, minimizing the risk from one possible infection route.

“We’ve built the system from Day One to deal with this kind of world,” said Hiroshi Lockheimer, vice president of Android engineering. “The health of the Android ecosystem is essential to us.”

Yet while each new generation of Android delivers improvements that close off newly discovered avenues of attack, the company has struggled to get updated software to smartphones already in the hands of consumers.

The latest version of Android — the one with the “smishing” fix — is used by just 1.4 percent of the more than 500 million Android devices worldwide, according to data compiled by Google. The company also released a security patch that could repair the flaw in earlier versions of Android. Still, neither Google nor the wireless carriers could say how many current phones received the patch.

Ars Technica, a new site covering the technology industry, analyzed the update schedules for dozens of the most popular Android smartphones in December and found that most had received only two updates since consumers bought them, sometimes years earlier.

Apple’s iPhone, the leading competitor to Android smartphones, gets operating-system updates several times a year. A similar update schedule is common for desktop and laptop operating systems and other software, with updates happening automatically — often with users not knowing it.

What is different about the Android line of smartphones is that various manufacturers, such as Samsung, LG, and HTC, make dozens of devices that tailor the software and its updates to their own specifications. Then wireless carriers, such as Verizon, AT&T, and Sprint, make their own changes and test each update before sending it to consumers over their wireless networks.

The overall updating process for Android phones typically takes months and happens far less frequently than recommended by security experts, who call the diffusion of responsibility among several companies “fragmentation.” Blame also is spread widely, though it often focuses on the carriers as the most important chokepoint.

Wireless carriers say they seek to release updates promptly, but they acknowledge that the process generally takes months.

“When more than one company is involved in delivering the final product, as is the case with the Android environment, any improvements in the security update process must include all entities involved,” said Ed Amoroso, the chief security officer at AT&T. “We intend to coordinate with other providers to see if we can engineer a better solution than the one we have now.”

Verizon Wireless, the largest wireless carrier, and Samsung, the largest Android device maker, declined to answer detailed questions and said they deliver updates as quickly as possible. Sprint declined numerous interview requests, referring queries to Google.

But security experts say Google, by itself, has little power to get faster updates to phones. It founded the Android Update Alliance in 2011 and carriers and device makers, but the initiative has produced little.

Last year, Google bought Motorola Mobility, a leading manufacturer of mobile devices, which may eventually lead to faster updates for that company’s products. Google’s record of updating software on its own line of phones and tablets, called Nexus and produced in conjunction with other manufacturers, is better than when phone makers adopt the Android system, which Google makes and distributes for free.

The extent of risk to smartphones is a subject of debate among security experts. CrowdStrike’s Alperovitch said that most consumers face little danger as long as they buy apps through Google’s store and do not patronize the growing number of third-party stores that have become popular in China and beyond.

Other experts say the risk is real and growing for all Android users. McAfee, the anti-virus company, says it has documented an explosion in the amount of malicious software designed to target the operating system, which runs on three out of four new smartphones worldwide. Some malicious software steals personal information, while some can initiate phony charges that can appear — and often are not detected — on consumers’ cellphone bills.

Trend Micro, another security company, has reported on the spread of Android-based botnets, which could allow remote users to take control of thousands or even millions of devices at a time.

There are many potential entryways for those looking to hack into smartphones: browsers, text messages, e-mails, cellular signals, WiFi signals, Bluetooth connections, and, for the latest smartphones, near-field communication radios. Some powerful spying software, typically used by governments, allows hackers to switch on cameras or microphones to watch or listen to smartphone users.

“Now they can hack your life, your physical life, not just your cyber-life,” said Tom Kellermann, a Trend Micro vice president and member of President Obama’s commission on cybersecurity.

Such intrusions are difficult and time-consuming, making them unlikely for ordinary users. But security experts warn that such tactics could be used against the most valuable targets, such as business executives or senior government officials, especially if they are running outdated software.

“It’s essentially the weak link in the chain,” said Pat Calhoun, a senior vice president at McAfee, a maker of security software. “The cybercriminals have determined that if they want to get into the enterprise, the best way is through the mobile device.”

The need for fast action

There is little evidence the “smishing” vulnerability — so named because it was a version of “SMS phishing,” meaning it sought to trick users into clicking on a malicious link on a phony text message — has spread widely. Xuxian Jiang, the computer science professor who reported the flaw to Google, said he has heard numerous reports of “smishing” attacks in China but few in the United States.

About the author

Related Posts