Older Android Devices At Risk As Carriers Delay Upgrades

Latest version of Android OS rebuffs most malware, says study, but carriers continue to drag their feet on providing upgrades and patches.

Mathew J. Schwartz, Contributor

June 27, 2013

4 Min Read

The Syrian Electronic Army: 9 Things We Know

The Syrian Electronic Army: 9 Things We Know

(click image for larger view)
The Syrian Electronic Army: 9 Things We Know

Updating Android devices to the latest version of the mobile operating system would eliminate 77% of the attacks now used successfully against those devices.

That finding comes via a mobile threats study released this week by Juniper Networks.

Overall, the study found, from March 2012 to March 2013 the volume of mobile malware increased 614% -- compared to the 155% increase seen in 2011 -- and comprised a total of 276,259 malicious apps. "This trend suggests that more attackers are shifting part of their efforts to mobile," according to the report.

[ What's the most dangerous Android malware out there? Read Android Trojan Looks, Acts Like Windows Malware. ]

How are devices getting infected? Third-party app markets are most often to blame. About 60% of these app markets are located in Russia, or in China, where access to Google Play is blocked. In total, Juniper counted over 500 third-party app stores hosting at least some mobile malware. "These third-party alternatives to official marketplaces often have low levels of accountability, allowing for malicious commodities to have a near infinite shelf life," said the report.

"These stores are also a concern for the several million 'jailbroken' iOS devices that rely on them to 'side load' apps," it said. That's one reason why mobile security experts recommend blocking any jailbroken iOS device from an enterprise network.

Regardless of the platform, every successful mobile malware infection, on average, earns an attacker money. "Each successful download provides attackers around $10 in immediate profit," said the study. "At the high-end of the market, more sophisticated attackers are using botnets and threats targeting high-value data on corporate networks in the enterprise."

Android malware is thriving particularly thanks to even non-coding geniuses being able to make a quick buck, which helps explain why the operating system is now the most-favored mobile OS for attackers to target.

Relatively simple short message service (SMS, or texting) Trojans accounted for 48% of all Android malware seen. The malware dials premium-rate phone numbers which are typically leased by the malware developer or their criminal associates, and which predominate in Russia and the rest of Eastern Europe, as well as Asia. Meanwhile, 29% of all mobile malware involved fake app installers, which is malware that's often just thinly disguised to resemble a legitimate version of a popular app. In comparison, sophisticated Trojan spying tools accounted for only 19% of all Android mobile malware seen.

The good news is that the most prevalent type of attack -- SMS Trojans, which are involved in 77% of all attacks -- are easily blocked by the latest version of the Android operating system, Android 4.2 Jelly Bean , because it comes with built-in SMS attack protection. Such attacks also can be stopped by Android anti-virus software, but adoption of these security tools lags.

The bad news is that as of June 3, Android 4.2 was installed on just 4% of Android smartphones. In other words, the majority of attacks now seen on Android users "could be largely eliminated if the Android ecosystem of OEMs and carriers found a way to regularly update devices," reported Juniper.

How might handset manufacturers and carriers be forced to update and patch their devices more regularly? In fact, thanks to a settlement between HTC and the Federal Trade Commission (FTC) in February, the handset maker will be required to do just that, for at least the next 20 years.

The American Civil Liberties Union (ACLU), meanwhile, has urged the FTC to continue the crackdown by making the country's four biggest wireless carriers update devices regularly, or else. As an incentive, the ACLU has proposed interpreting consumer-protection laws to allow consumers to return any mobile device for a full refund for up to two years after it's been purchased, unless the carrier issues regular information security patches or software updates for the device.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights