Android Bad

The security firm Bit9 on Monday (Nov. 21) released a survey that tried to determine which smartphones in the U.S.market were the most vulnerable to malware.

Not surprisingly, Android phones dominated the list. In fact, no other platform even made the cut, partly due to Android's huge market penetrations, but also because the two other dominant smartphone platforms, Apple's iOS and Research In Motion's BlackBerry, have much tighter security controls.

Bit9's criteria for determining the phones relied on market penetration for each model, which version of Android each ran, and, most importantly, how long it took for the carriers to push out software updates to each. It rated each model with a vulnerability score from 0 to 9, with 9 being the most vulnerable.

SecurityNewsDaily's companion story to this gallery, "The Dirty Dozen: Why the 12 Most Vulnerable Smartphones All Run Android ," examines why this is the case. But in the interest of clarity, we present here, from least vulnerable to most, the dirty dozen phones that Bit9 says are the most susceptible to malware.

The HTC Evo 4G:

Bit9 gave this model, which was Sprint's flagship model in the summer of 2010, a vulnerability score of 3. It's not much worse than several phones that didn't make the Dirty Dozen list, but was docked points because Sprint took more than three months on average to update the software, and it's never been upgraded beyond Android 2.3.3 (the latest incremental update is 2.3.7).

The Motorola Droid 2

: Verizon's successor to the Droid X (see below) was released only a few weeks later, in August 2010. It's still on Android 2.3.3, and got a vulnerability score of 4 because it took Verizon Wireless an average of 148 days (about 5 months) to update the software.

The LG Optimus One:

The Optimus One was the generic model of LG's entry-level model, released in November 2010. Since carrier-branded phones had letter designations after the model name see the LG Optimus S, below it's not clear which carrier was responsible for this phone's vulnerability score of 4, but whoever it was took an average of 188 days, more than half a year, to update the software.

The Motorola Droid X:

At the same time that Sprint was bringing out the HTC Evo 4G in the early summer of 2010, Verizon Wireless introduced the Motorola Droid X with a huge marketing campaign. Like the Evo 4G, the Droid X is still stuck on Android 2.3.3, but gets an even worse vulnerability score of 4 for being an average 140 days behind Android software updates.

The Samsung Galaxy S:

It's not clear which carrier's model Bit9 used to evaluate this very successful phone from the summer of 2010 (Sprint's variant was the Samsung Epic 4G, below), but they waited an average of 254 to update the software, which even now is still stuck on Android 2.3.0. That gives is a vulnerability score of 5.

The LG Optimus S

: The LG Optimus S scored a 7 on Bit9's vulnerability scale; the smartphone currently runs the outdated 2.2 version of Android, an update its users had to wait an average of 165 days to receive.

The Samsung Epic 4G

: The good news for Samsung Epic 4G owners this month was that they finally could run Android version 2.3 on their smartphones. Unfortunately, that was about 10 months late. Vulnerability score: 8.

The HTC Wildfire:

HTC Wildfire customers, which isn't available from any of the Big Four carriers, had to wait an average of 228 days to get Android version 2.1, and up to 135 days to finally get version 2.2, Bit9 said. Users are still waiting for version 2.3. HTC Wildfire scored an 8 on the vulnerability scale.

The Sanyo Zio

: It's not clear whether Sprint or Leap Wireless, a small pre-paid carrier, is responsible for the Sanyo Zio's abysmal score of 8. But customers waited between 226 and 315 days to get Android version 2.1. In May, the phone got Android 2.2, more than 315 days late, and hasn't yet updated to version 2.3.

The Sony Ericsson Xperia X10:

Bit9 ranked the Xperia X10 among the worst, with a 6 on Bit9's vulnerability scale, because Sony Ericsson released it with the already-outdated Android 1.6. Then the phone skipped Android 2.2 entirely, leaving its customers with insecure software in the process. When it came time to release version Android 2.3.3, Sony made it available only as a manual download.

The HTC Desire:

U.S. customers who bought an HTC Desire had to wait an average of 232 days for an over-the-air (OTA) upgrade, which resulted in a vulnerability score of 8. The Desire was released in Europe with Android version 2.2, Bit9 said, but American customers got version 2.1.

Samsung Galaxy Mini

Last and possibly least, the . As of today (Nov. 21), the Mini accounted for only 1.5 percent of the total market share of all Android phones. Yet the Mini is massively vulnerable, Bit9 said. The average update lag was an whopping 316 days more than 10 months. Bit9 gave the Galaxy Mini a vulnerability score of 9.

Rogues' Gallery: The Dozen Most Vulnerable Smartphones