In late November, the security team at Check Point Software Technologies revealed a new malware campaign named Gooligan, which breached the security of more than a million Android phones.
The malware, which can find its way onto phones via phishing links or apps downloaded outside the Google Play store, can steal authentication token information and use it to access Google-related accounts – including Gmail, Google Drive, Google Photos, G Suite and more – without entering a password.
Gooligan also can install and rate apps from Google Play and even install adware to generate revenue.
The malware, which has been found in at least 86 apps outside the Google Play store, could affect users running versions 4 or 5 of the Android operating system, which were released between 2011 and 2014.
These account for more than 72 percent of users, despite the fact that two newer versions exist. Marshmallow, version 6, was released in October 2015, and Nougat, version 7, was released in August 2016.
Android users can check to see whether their account is compromised, re-install their operating system and change their account passwords. And Google has taken action to protect users.
But millions of Android users are running out-of-date software that leaves them vulnerable to a whole host of publicized security flaws, as well as surveillance by law enforcement.
While Google regularly updates its operating system for its own Nexus and now Pixel devices, users of less expensive Android phones have to wait much longer.
Android updates are so slow to roll out that adoption rates for older software versions gain market share after new ones are released, in stark contrast with quick adoption rates for new iPhone versions. Bloomberg reported in May that 84 percent of Apple’s mobile devices run the latest software, compared with 7.5 percent for Android.
According to one 2015 report, more than 87 percent of Android devices were exposed to at least one of 11 known critical vulnerabilities.
The delays are the result of a fractured ecosystem that has plagued Android for years. While Google maintains the core operating system and updates, consumers must wait for carriers and device makers to push them out.
Christopher Soghoian, principal technologist at the American Civil Liberties Union, recently described this as “not just a cybersecurity problem – it’s a civil rights problem.”
One reason many Android users are vulnerable is because after Google pushes out its updates, it also publicizes the security flaws, giving hackers and malicious actors time to capitalize on them.
“Ideally, the updates would go out at the same time,” said Joshua Drake, vice president of platform research and exploitation at Zimperium Enterprise Mobile Security.
“Think about it from a hacker’s point of view,” he said. “They’re waiting for this monthly Nexus (Security) Bulletin or Android Bulletin to come out, and they’re looking for something really good to write an exploit for and start working on an exploit from there.”
Although smartphones often are sold on 12- to 24-month contracts, devices that are about a year and a half old often don’t get any software updates, regardless of when the user purchased the phone.
“Last year, Google announced there would be monthly updates, but the monthly updates are only as good as the willingness of OEMs (original equipment manufacturers) to give them to users, and some of the OEMs have already walked back and said they can’t keep up,” Soghoian said.
This stands in contrast with Apple’s iPhones. Only phones as old or older than the iPhone 4S, released in 2011 and no longer for sale in the Apple Store, won’t run iOS 10 – the latest version of the operating system.
Obviously, companies can’t be expected to indefinitely support very old devices, but Drake said they should be expected to support the software they release for a reasonable amount of time.
“If they don’t want to sell and support cheap devices, then they shouldn’t do it,” he said.
But Soghoian said there’s little financial incentive for companies to provide such support for older devices.
“This is not a technical problem,” he said. “This is an economic problem, and really what it boils down to is that most of the companies that manufacture Android phones are not interested in bearing the cost of providing ongoing updates.”
“The carriers don’t care, the OEMs don’t care, and the carriers aren’t really facing any regulatory threat,” he added. “It’s a ticking bomb for cybersecurity.”
So who’s to blame? Creating an enforceable obligation to upgrade systems is not an easy task.
In 2012, a class-action lawsuit was filed against Motorola Mobility Inc. The company had released its CLIQ XT mobile handset in March 2010, and the phone was based on the outdated Android 1.5 mobile operating system.
For 10 months, Motorola repeatedly made public statements of its intentions to upgrade the system to Android 2.1 on its own website, Twitter account and online service forum. In the interim, the phone became incompatible with various popular mobile apps.
Motorola settled the lawsuit by providing a $25 credit in its online store for anyone who had purchased that particular mobile handset prior to Feb. 2, 2011, the day before it announced that the upgrade to 2.1 never would take place. In this instance, the company claimed it would make the upgrade and then didn’t do so – it’s not likely that a class-action lawsuit would have been successful otherwise.
The ACLU filed a complaint with the Federal Trade Commission in 2013 arguing that major wireless carriers had engaged in unfair and deceptive business practices by failing to warn customers about unpatched security flaws in their phones’ software.
In Europe, the Dutch Consumers’ Association sued Samsung earlier this year over device support, pointing out that consumers aren’t informed about how long they’ll receive software updates or about critical security issues – which, it states, is an unfair business practice.
Maurice Wessling, who coordinated the lawsuit, said the association was pushing for updates for two years from the moment of sale for the phone, rather than when the phone was released.
The lawsuit was a fast-track one intended for urgent matters. It was dismissed for procedural issues, as the judge deemed it too complicated for this procedure. However, the Dutch Consumers’ Association is considering filing another suit, which would be a broader, more thorough proceeding in a different court.
Class-action lawsuits against carriers are significantly more difficult because many carriers have arbitration-only clauses, which don’t allow consumers to go to court or bring a case on behalf of multiple parties.
In May, the FTC ordered eight mobile device manufacturers to provide information on the factors they consider in deciding whether to patch a vulnerability on a particular mobile device, as well as a list of devices offered for sale since August 2013, the vulnerabilities that have affected those devices and whether they were patched.
In addition, the Federal Communications Commission is “conducting a separate, parallel inquiry into common carriers’ policies regarding mobile device security updates,” it stated in the press release.
“These studies typically result in public reports that may contain recommendations for consumers, industry, and Congress,” Jay Mayfield, an FTC spokesman, wrote in an email. “There has been a lack of transparency in the mobile industry regarding the process for developing and deploying security updates to mobile devices. The Commission’s study is designed to provide insight into the parties that are responsible for this critical process, where there may be areas for improvement, and to ensure that consumers and other stakeholders are fully informed about this issue.”
Mayfield said the FTC expects to issue a public report with its findings once the study is completed, but it’s too soon in the process to speculate about other potential outcomes. The FCC, which is working in partnership with the FTC, also could take action, though critics argue that it has a poor track record in dealing with cybersecurity issues.
Sean Sullivan, security adviser at F-Secure Corp., which provides cybersecurity services, agrees that regulators should be looking into the issue: “If you look at the demographics of where Android is deployed, it’s not your upper-middle-class individuals who are buying a new phone every year; it’s people who buy a phone for two, three years and get it from the carrier.”
Independent security researcher and operational security trainer Matt Mitchell thinks Google could be doing more to ensure that carriers and manufacturers in its partner network prioritize security updates, perhaps by penalizing those that don’t have the latest updates.
Mitchell points out that in its internet search business, Google delists websites with malware and doesn’t include payday loan or predatory lending sites in its search results.
“Google knows for the open internet and for the good of society, certain things just shouldn’t be out there. … I don’t see why they don’t apply this to the other parts of their business, namely the mobile phone industry,” he said.
Because Google benefits financially from keeping the manufacturers it partners with happy, asking it to require carriers and manufacturers to follow specific mandates might be a tall order.
“We’re constantly working to improve the safety and security of the Android ecosystem,” a Google spokesman said. “Like many Android efforts, security is a team effort, and we’re working closely with OEM and carrier partners to keep users safe.”
Mitchell, who compares the current mobile device customer base to people who were unaware that cigarettes were unhealthy back in the 1950s, would like to at least see warning labels or some kind of rating system for phone privacy and security.
“The burden shouldn’t be on the consumer, because the consumer doesn’t have stuff in plain English to understand the risk that they’re taking,” he said. Mapping data from 2014 indicates that iPhones proliferate in high-income areas, whereas Android phones often are found in lower-income areas.
“You have to worry about the consumers,” Mitchell said. “These are things that you’ll find in other industries that are really lagging behind in tech, and it hurts real people, and those people tend to be marginalized to begin with.”
And then there’s the fact that Google doesn’t offer solutions that are accessible to lower-income people.
“Earlier with Nexus, you had some really affordable Nexus phones, which made it seem like there were some options for regular Americans who couldn’t afford the high-end phones,” said Soghoian, of the ACLU. “But if Google is killing off Nexus and making the Pixel the only device that gets regular updates, then really we end up furthering the digital security divide, where the rich get security and the poor get insecurity.
“The market’s solving the problem at the high end, but it’s leaving most working Americans behind. The digital security divide, of which Android is a major piece of the puzzle, is perpetuating inequalities in our society.”
This story was edited by Fernando Diaz and copy edited by Nikki Frick.
Yael Grauer can be reached at yael@yaelwrites.com. Follow her on Twitter: @yaelwrites.