The American Civil Liberties Union has filed a complaint with the U.S. Federal Trade Commission on Wednesday calling on the Federal Government to take action to stem an epidemic of unpatched and insecure Android mobile devices – a public scourge that the ACLU blames on recalcitrant wireless carriers.
The civil liberties group’s complaint for injunctive relief with the FTC, noting that “major wireless carriers have sold millions of Android smartphones to consumers” but that “the vast majority of these devices rarely receive software security updates.”
Calling the unpatched phones “defective and unreasonably dangerous,” the ACLU says that carriers leave their customers vulnerable to malware and spear phishing attacks that can be used to record or transmit information on the device to” third parties.
“A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers’ smartphones by the wireless carriers and their handset manufacturer partners,” the ACLU said.
Android devices now account for close to 70 percent of new mobile devices sold. The porous security of many of those devices has become a topic of concern. The latest data from Google highlights the challenge facing the company, with just over 16% of Android users running Versions 4.1 or 4.2 – the latest versions of the OS, dubbed “Jelly Bean” more than six months after its release. In contrast, 44% of Android users are still running the “Gingerbread” release – Versions 2.3.3 through 2.3.7, a two year-old version of the operating system that has known security vulnerabilities. This according to data released by Google on the Android developer blog.
All those vulnerable devices are an attractive target for cyber criminal groups. Data from Symantec for 2012 found that Android devices were the target of almost all the mobile malware detected in 2012, despite being the source of just a fraction of the mobile operating system vulnerabilities, according to data from the security firm Symantec.
Of 108 new malicious programs for mobile devices identified in 2012, 103 of them targeted Android devices, Symantec disclosed. Conversely, Apple’s iOS operating system was the target of just a single piece of documented mobile malware in 2012, despite being the source of almost all the documented mobile application vulnerabilities -387 of 415 across all mobile platforms, Symantec reported in its Internet Security Threat Report, released on Tuesday.
The difference: Android’s decentralized and unmonitored network of official and third-party application stores. Many of these have become hotbeds of malicious mobile applications, especially those serving audiences outside North America. But malicious operators and spammers have even devised ways to sneak malware and adware into Google’s official Android marketplace, Google Play.
“Nobody becomes a cyber criminal because they want to work hard,” said Kevin Haley, the Director of Symantec Security Response. “Android makes it simple to write malware and hide it inside a legitimate application. You don’t need a vulnerability to spread malware.” The ACLU complaint, signed by privacy advocate and ACLU principal technologist Christopher Soghoian asks the FTC to investigate the major wireless carriers and force them to cease what it describes as “unfair and deceptive business practices.” That includes demands that carriers be required to inform Android customers about known and unpatched security holes in the Android operating system. Customers whose phones were not updated by the carrier in a reasonable amount of time should be allowed to turn it in or exchange it for a same phone, the complaint reads.
In responses to media outlets, some wireless carriers issued statements Tuesday.
Verizon Wireless released a statement saying the company “is focused on ensuring our customers have good experiences with their smartphones and tablets…We work closely with [mobile device makers] and provide mandatory updates to devices as quickly as possible,” said spokeswoman Brenda Rainey according to a story in The Washington Post. Sprint also responded, saying the company “follows industry-standard best practices designed to protect its customers,” according to spokesman John B. Taylor.