Millions of Android users vulnerable to security threats, say feds

Amid ongoing U.S. government mass surveillance claims, the DHS and FBI are more aware than ever of its use of the Android platform, and the vulnerabilities that go with it.
Written by Zack Whittaker, Contributor
Image: CNET/CBS Interactive

Android remains the world's most widely used operating system, based on market and usage share statistics, used by hundreds of millions of customers worldwide.

But, according to a new document obtained by Public Intelligence, the U.S. Dept. of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) are increasingly aware of the threats its law enforcement users and officials face at a federal, state, and local level in using older versions of the mobile platform.

According to the roll call release — marked as unclassified but "for official use only," and designed for police, fire, emergency medical services (EMS) and security personnel — upwards of 44 percent of Android users worldwide are still using Android versions 2.3.3 to 2.3.7, which still contain security vulnerabilities fixed in later versions.

The document does not state, however, how many U.S. government staff use Android, let alone older versions of Android, on its networks.

Android continues to be a "primary target for malware attacks due to its market share and open source architecture," the document says, and an uptick in mobile device use by government users "makes it more important than ever to keep mobile [operating systems] patched and up-to-date."

As many will know, staying ahead of the Android security curve requires actively ditching existing handsets and buying a new device, particularly in a bring-your-own-device world where this falls down to the responsibility of the user. Many manufacturers and carriers do not issue the latest Android versions for older devices. 

Some highlights from the report:

  • 79 percent of malware threats affect Android, with 19 percent targeting Symbian. Windows Mobile, BlackBerry, iOS, and others all peg in at less than 1 percent each. (The source of the figures is not known.)
  • SMS text messages represent "nearly half" of the malicious applications circulating today on older Android operating systems. Users can mitigate by installing Android security suites on their devices.
  • Rootkits also pose a massive threat. The DHS/FBI document notes that in late 2011, a popular rootkit Carrier IQ was installed on millions of devices, including Apple iPhones (though Apple later removed the software) and dozens of Android devices. These rootkits often go undetected and can log usernames, passwords, and traffic without the user's knowledge — a serious security risk in a government enterprise setting.
  • Fake Google Play domains are sites created by cybercriminals, the document notes, which replicate the Android application store to trick users into installing fake or malicious apps. DHS/FBI note that only IT approved updates should be allowed, hinting that IT department should ensure secure IT policies from back-end mobile device management services.

You can find the roll call release embedded below, or via Public Intelligence's website [PDF].

Editorial standards