Homeland Security: Hackers Love Old Androids


One of the biggest problems for the long-term success of Google’s (NASDAQ:GOOG) mobile operating system — Android — is also partly the reason why the platform has been so success: its fragmentation. In pursuing the best possible user experience for its mobile operating system, Google took a philosophically different approach from Apple (NASDAQ:AAPL).

Where the iPhone restricts hardware and software standards to maintain high quality, Google allowed the design of Android to be guided by an open-source design strategy, giving the software away for free and enabling hardware manufacturers, carriers, and app developers to make their own improvements to the software. We “wanted to make sure there was no central point of failure, where one industry player could restrict or control the innovations of any other,” explains Android Open Source Project. “Android is intentionally and explicitly an open-source,” and the “objective is a shared product that each contributor can tailor and customize.”

However, because so many different original equipment manufacturers, OEMs, use their own uniquely modified version of Android, it is difficult for Google to quickly implement needed changes. When Google releases a new version of the operating system, it takes manufacturers — like Samsung (SSNLF.PK), HTC (HTCKF.PK), 9 (LGEAF.PK), and others — several months before the updates reach consumers. These manufacturers heavily modify Android to suit their needs, so every time a new version of Android is released they must first tailor it and then test it before passing along the updated software. As a result, the newest software operating these manufacturers’ handsets are often two or three versions behind.

Screen Shot 2013-08-27 at 11.55.29 AMIn terms of business, the upgrade time-lag is a minor problem because the release of a new version of the operating system does not cause the same buzz as an Apple release. The problem is more concerning when taking into account the opportunity the lag provides hackers.

A warning issued by the U.S. Department of Homeland Security on July 23, 2013 was meant to inform members of police and fire departments, emergency medical services, and security personnel that Android is the primary target for malware attacks because of its open source architecture and market share — Android-based devices accounted for 79 percent of all smartphones shipped in the second quarter. “The growing use of mobile device by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up-to-date,” noted the release.

Of the total number of malware threats to mobile operating systems in 2012, Android attracted the most with 79 percent, followed by Symbian with 19 percent. Comparatively, iPhones were targeted by just 0.7 percent of all threats, while Microsoft’s (NASDAQ:MSFT) Windows Mobile Phone and BlackBerry (NASDAQ:BBRY) each accounted for 0.3 percent of the threats.

Older versions of Android are still widely used. “Industry reporting” has shown that 44 percent of Android smartphones still run version 2.3, a interaction known as Gingerbread that was released in 2011, and it contains a “number of security vulnerabilities that were fixed in later versions of the operating system.” It should be noted that new Android usage data that Google released in early July shows that Jelly Bean, version 4.1 and 4.2, now has 37.9 percent adoption and Gingerbread has 34.1 percent.

The document then went on to explain the three major security threats to Android devices operating versions 2.3.3 through 2.3.7: SMS trojans — which represent nearly half of the malicious applications on older Android operating systems — send messages to numbers owned by hackers without the user’s knowledge.

Rootkits track the user’s locations, keystrokes, and passwords without the user’s knowledge and fake Google Play Domains trick users into installing malicious applications that allow hackers to access sensitive personal information, including financial data.

The security fixes are simple, recommended by the Office of Intelligence and Analysis, Cyber Intelligence Analysis Division, and National Protection and Programs Directorate, US Computer Emergency Readiness Team, which prepared the document. Users of older versions of Android should download Android security suits to stop text message trojans, install a free application — the Carrier IQ Test — to detect and remove malicious software and install only “approved applications and follow IT department procedures to update devices’ OS.”

Google has been working to limit OS fragmentation by pushing the newer Jelly Bean operating system and and supplying developers with code that lets older software take advantage of newer OS features, according to a report from Open Signal.

But fragmentation has still grown, Open Source has found, thanks to the data it has amassed from users of its own Android app. In the past few months, 11,868 distinct devices download the company’s app over the last few months.

“While fragmentation certainly poses a headache to developers who have to test and optimize on an ever-increasing number of devices, the success of the Android ecosystem cannot be separated from its fragmented, free-for-all, nature,” the report read. “For consumers, extreme fragmentation means that they can get exactly the phone they want — big or small, cheap or expensive, with any number of different feature combinations.”

Still, Google is making effort to gain some form of control over fragmentation through Motorola’s new Moto X, a phone that the company introduced just a few weeks ago. “While Motorola won’t have advanced access to new Android code, the company does hope to have devices that can quickly be upgraded,” Motorola’s Chief Executive Officer Dennis Woodside told All Things D. “In part, that stems from not making a lot of changes to the underlying operating system so that updates can easily be readied and then tested by cellular.”

Don’t Miss: Goldman Dodges Losses But Concerns Remain After Trading Glitch.

Follow Meghan on Twitter @MFoley_WSCS