Millions of Android users vulnerable to security threats, say feds

Millions of Android users vulnerable to security threats, say feds

Summary: Amid ongoing U.S. government mass surveillance claims, the DHS and FBI are more aware than ever of its use of the Android platform, and the vulnerabilities that go with it.

TOPICS: Security, Android
(Image: CNET/CBS Interactive)

Android remains the world's most widely used operating system, based on market and usage share statistics, used by hundreds of millions of customers worldwide.

But, according to a new document obtained by Public Intelligence, the U.S. Dept. of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are increasingly aware of the threats its law enforcement users and officials face at a federal, state, and local level in using older versions of the mobile platform.

Read this

Android app malware rates jump 40 percent

Android app malware rates jump 40 percent

A new report released by Trend Micro says that mobile malware rates are skyrocketing.

According to the roll call release — marked as unclassified but "for official use only," and designed for police, fire, emergency medical services (EMS) and security personnel — upwards of 44 percent of Android users worldwide are still using Android versions 2.3.3 to 2.3.7, which still contain security vulnerabilities fixed in later versions.

The document does not state, however, how many U.S. government staff use Android, let alone older versions of Android, on its networks.

Android continues to be a "primary target for malware attacks due to its market share and open source architecture," the document says, and an uptick in mobile device use by government users "makes it more important than ever to keep mobile [operating systems] patched and up-to-date."

As many will know, staying ahead of the Android security curve requires actively ditching existing handsets and buying a new device, particularly in a bring-your-own-device world where this falls down to the responsibility of the user. Many manufacturers and carriers do not issue the latest Android versions for older devices. 

Some highlights from the report:

  • 79 percent of malware threats affect Android, with 19 percent targeting Symbian. Windows Mobile, BlackBerry, iOS, and others all peg in at less than 1 percent each. (The source of the figures is not known.)

  • SMS text messages represent "nearly half" of the malicious applications circulating today on older Android operating systems. Users can mitigate by installing Android security suites on their devices.

  • Rootkits also pose a massive threat. The DHS/FBI document notes that in late 2011, a popular rootkit Carrier IQ was installed on millions of devices, including Apple iPhones (though Apple later removed the software) and dozens of Android devices. These rootkits often go undetected and can log usernames, passwords, and traffic without the user's knowledge — a serious security risk in a government enterprise setting.

  • Fake Google Play domains are sites created by cybercriminals, the document notes, which replicate the Android application store to trick users into installing fake or malicious apps. DHS/FBI note that only IT approved updates should be allowed, hinting that IT department should ensure secure IT policies from back-end mobile device management services.

You can find the roll call release embedded below, or via Public Intelligence's website [PDF].

Topics: Security, Android

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • With su much malware on the wild targeting it

    I wonder why not at least half of smartphones are infected!
    • Useless article

      This article has "I didn't research things" and "FUD" written all over it. Quit spreading FUD and write something useful for once.
      • Agreed

        A little misrepresentative to show a new Samsung Galaxy S4, when that is running Jellybean, and also has Knox security firmware (approved by the FBI/CIA/DoD/etc.)

        As well, with Samsung's at least, you have to go into one of the Settings menus, and check a box to allow side-loading of apps. No accidental loading of trojans or malware, unless you've specifically allowed downloads from sources other than the Play Store.
      • Useless article. TOTAL FUD!

        I have a 3 year old Samsung Galaxy S. Android 2.26

        So far ZERO malware since the day I bought it.

        THE FACTS:

        1. I've never even looked at a text from anyone I did not know!

        So the texting FUD holds no water unless you are apparently stupid enough to install a non Google Play SMS app.

        2. Since I have my Android set to not install 3rd party apps and only Google Play apps
        there is no way a virus, root kid or malware can get a million miles near my phone.

        3. I know at least 3 dozen friends who own Android phones and NOT EVEN ONE of them
        has ever gotten any malware. Since I am their go to Tech Guru they would have called or emailed me for help if they ever did get one. Especially since I recommended they buy an Android phone.

        Those are the real facts about my experience with Android phones.

        This article must have been paid for exclusively by Mafiasoft in order to try and sell
        some of their 200 million MicroKlunk Reboot-A-Phone's still stuck in their inventory warehouse in Redmond!

        Shame on the editor for taking the FUD bribe.

        I'm blacklisting this editor as a Microsoft PUNK!
    • yes but

      Android has 80% market share but only 79% of the threats are directed toward it. I'm safe because I'm in the 1%. Lol
      • Me too!

        It's like so awesome right? :) Been using Android for around 3 years. I try to be careful with passwords, downloads, etc. Same as I do with my Windows laptop (no less under fire). So far so good.
    • Key word: vulnerable

      Many Android users enable the installation of apps from unknown sources and are careless with clicking links in SMS messages/email as well as careless where they get their apps. This is a user problem. And I wonder whether the manufacturers of cheap AOSP (Android Open Source Project)-based devices sold in China and elsewhere even have app stores available for their customers. Anyone know one way or the other?

      Android *is* vulnerable because:

      o many individuals are running outdated versions of Android
      o many OEMs and carriers are not pushing security updates to their devices in a timely manner

      At the same time, Android malware writers are starting to use well established methods from Windows malware:

      "Windows malware finds its way to Android
      August 16, 2013

      Clearly, it's time for Google, Open Handset Alliance members and device manufacturers using AOSP to wake up and grow up. In addition, the comments here from Android supporters remind me of those from many Apple OS X users pre-Flashback, when Apple was very tardy updating Java for its users. However, in the case of Android, it's the operating system and default applications.

      Forty-four percent (33 percent according to Wikipedia) of Android device users running Android versions 2.3.3 to 2.3.7 is a GIANT red flag. Just imagine if such a large percentage of users were currently running Windows 2000 or were running Windows XP after April, 2014. The Windows malware miscreants are eagerly awaiting the Windows XP EOL and the Android malware miscreants are learning from the Windows malware miscreants with no need to wait for an Android version EOL. In addition, the Android malware miscreants have relatively large time windows for exploits due to the slowness of security updates from many OEMs and carriers for currently 'supported' Android versions.

      Waiting with popcorn ready to pop ...
      Rabid Howler Monkey
    • yeah right

      just scaremongery to make the sheep upgrade thr phones
    • Spyware

      Spyware can infect an Android phone or tablet. It stays hidden but sends messages back to its home base. The spyware is looking for IDs, SSNs, Bank Account, Charge cards, etc. Since I don't have an android device I have no idea what protection is available, but an anti-spyware program is a must. So too are anti-virus programs and firewalls.
      • "...Since I don't have an android device I have no idea..."

        Yet you feel qualified to tell Android users how vulnerable they are?
    • 0,0005 % is infected

      just 0,0005 % is infected

      because almost all of them dont care about outside the play market ;)
  • The worlds most popular mobile OS

    With 80% of the global market share, is the primary target of malware.

    Shock, horror!

    I'd have thought they would be putting all their efforts into targeting Symbian, and BlackBerry.
    • Popularity is not the reason Android dominates in malware.

      Android is the primary target for malware, because its security model has issues that make it the easiest target. That was true even before it was the most popular mobile operating system.

      Most android devices are running versions of Android that are years out of date with known vulnerabilities that will never be patched and that is just one of the problems Android has.
      • Ok

        That is true, but you think if only 5% of devices were running it then the interest in malware would be there?
        • Combination of both

          Depends on what devices they're on and the security architecture and design of the OS itself.

          5% of mobile phones? Agree, not very interesting as the payback is not likely to be substantial either financially or notoriety. Control or navigation devices? A lot more interesting and worthwhile.
        • iOS didn't have this problem when it dominated mobile

          and by most accounts it is still a very large portion of mobile as well as the most lucrative market. Yet it doesn't have anywhere even remotely close to the security issues that Android has.

          Being popular isn't the sole factor for Android being the most targetted. Being popular and having the most security issues makes it a haven for security problems.

          The Nexus line of Androids is the a step in the right direction, but that is just a few devices.
          • iOS never dominated

            When did iOS ever dominate mobile?
          • Ok, to be clear

            There was a time that iOS was far more popular than Android was, but it did not have even a fraction of the security problems that Android does.

            The rise in popularity isn't the only reason Android is so far ahead of other mobile operating system security issues. More like a force multiplier though.

            Also I am not saying Android is doomed or people are crazy for using it. It just has the most security issues. Even before it was more popular than iOS.
          • to be clear

            SHOW SOME PROOF!

            Who do you know who has an Android phone and got a virus?

            I'd bet ZERO.


            Because you are a paid Shill from Redmond.
          • Wow! What kind of IT guru are you?

            You might call yourself an IT guru but no match to people who actually work on IT security.

            You want proof?

            Here is one...go to Android Play Store and download the app "China Daily News" onto your smartphone and see what it does to your phone?

            Than read the feedback and see why so many people were complaining that it works fine initially and than crash out.

            The answer can be found if you have a security software installed, or a system function tracking software monitoring the system even when the app is not activated and the phone is supposed to be idle.
            These software will be able to show you that it is installing unauthorized apps and adding ads to your notification bar even when the apps is not running and the phone seems to be idle.

            Once these apps and ads are added that is when the system crashes.

            So, the next time if you have not encounter an issue, please do not put out a blanket statement to say there is no issue at all.

            This is coming from a guy who was involved in the design of communication equipment for the executive branch of the US government.