The Dirty Dozen: Why the 12 Most Vulnerable Smartphones All Run Android
|Image composite by SecurityNewsDaily|
A new study aimed at determining the most vulnerable smartphones shows that, unfortunately for Google, its Android army has the malware market cornered.
"I don't think people realize how chaotic the Android ecosystem is," Harry Sverdlove, chief technology officer for the Massachusetts-based security firm Bit9, told SecurityNewsDaily.
Sverdlove cited Google's convoluted chain of command, which requires cellphone carriers as opposed to Google or phone manufacturers to push out critical software updates for Android customers.
Bit9's study, "The Most Vulnerable Smartphones of 2011," released today (Nov. 21), puts statistics to the chaos and names the top 12 phones most vulnerable to mobile malware. All of them run on the Android operating system.
Dirty Dozen smartphones
From 1-12, Bit9's "Dirty Dozen" most vulnerable phones are the Samsung Galaxy Mini, the HTC Desire, Sony Ericsson's Xperia X1, the Sanyo Zio, the HTC Wildfire, the Samsung Epic 4G, LG's Optimus S, the Samsung Galaxy S, the Motorola Droid X, LG's Optimus One, the Motorola Droid 2 and the HTC Evo 4G.
The criteria for the list included each smartphone's market share, how up-to-date and secure its software is and the frequency of the update cycles pushed out by the carriers.
In some cases, as with the Samsung Galaxy Mini and the Sanyo Zio, the average time period between when an Android upgrade was announced by Google and when it was finally stabilized and made available by the carrier for that particular model exceeded 300 days.
"Fifty-six percent of Android phones in the marketplace today are running out-of-date and insecure versions of the Android operating system software," Bit9 said in the report.
Couple that with a tendency by carriers to focus all their attention on new or upcoming phones, and not on security for older models, and again the Android ecosystem reveals its flaws.
Bit9's report came the same day as the security firm McAfee's report on the third quarter of 2011, which said malware targeting Android devices has jumped 37 percent since Q2.
Focus is on future phones, not present problems
"Manufacturers release [Android] phones on 12-18 month cycles. They're always focused on the next model, not focused at all on fixing security for existing users," Sverdlove told SecurityNewsDaily. "Something has to change in the ecosystem, not the operating system. Google needs to take control of the operating system."
Sverdlove said he believes consumers have become more security-conscious about their home computers, but they don't necessarily adopt that same attitude toward their smartphones.
"Even in non-tech circles, we've started to learn safety when we use personal computers," he said. "Most people know to be wary of strange emails, not to click on strange links, not to download anything in the world just because it has a picture of a cute kitten. I don't think people realize that an Android [phone] is just another computer, and just as vulnerable ."
Open source has upsides and flaws
Many of the flaws Bit9 identified in Android stem from the fact that Android is an open-source platform, meaning that developers have access to the source code. This can promote innovation and creativity, but, according to Neohapsis security researcher Georgia Weidman, there's a serious downside.
"Google prides itself on having a more open platform," Weidman told SecurityNewsDaily. "Many developers, myself included, prefer it for this reason. That said, the open platform, where any app can do anything it wants, opens a lot of doors for malware developers."
"The openness of the system comes with a price," Ondrej Krehel, information security officer with Identity Theft 911, told SecurityNewsDaily.
Echoing Weidman, Krehel said open-source projects give developers the chance to collaborate and actually make platforms and applications more secure. But things can get out of hand if there isn't somebody in place Google, in this case to oversee which applications get released and which don't.
"There still has to be a guardian for the distribution of Android applications," Krehel said. "The maintainer of the platform has to contribute to its security, because the end users will not be aware."
Krehel said he believes Google is still learning how to maintain a balance of keeping Android open source and being a "good guardian."
Although overhauling Android is something Weidman doesn't anticipate Google doing in the near future, she said Google could start to increase Android security by changing the permissions that applications request upon installation on customers' phones.
Weidman said she recently built a simple Android app that requested some common permissions "the sort of permissions that popular apps such as Facebook and Twitter clients ask for."
Her proof-of-concept rogue app, called "Evil App," then "used those permissions to steal personal data from the phone's user and send it offsite to an attacker," she said. "If you look at the permissions of the applications on your phone, chances are most of them could be silently spying on you, giving you no indication that anything is wrong. Why not let users pick and choose the permissions they want to allow?"
Weidman holds out hope for Android, and says that with "proper user awareness and more oversight when it comes to apps, I think it could mature into a stronger security model than Apple's closed-source alternative."
Krehel suggested Google could start to secure the Android system by increasing customers' awareness of security threats and instructing them, in "human readable" manuals, on how to institute some simple security configurations on their phones.