The Dirty Dozen: 12 Most Vulnerable Smartphones All Run Android

A new study aimed at determining the most vulnerable smartphones shows that, unfortunately for Google, its Android army has the malware market cornered. “I don’t think people realize how chaotic the Android ecosystem is,” Harry Sverdlove, chief technology officer for the Massachusetts-based security firm Bit9, told SecurityNewsDaily.

Sverdlove cited Google’s convoluted chain of command, which requires cellphone carriers — as opposed to Google or phone manufacturers — to push out critical software updates for Android customers.

Bit9′s study, “The Most Vulnerable Smartphones of 2011,” released today (Nov. 21), puts statistics to the chaos and names the top 12 phones most vulnerable to mobile malware. All of them run on the Android operating system.

Dirty Dozen smartphones

From 1-12, Bit9′s “Dirty Dozen” most vulnerable phones are the Samsung Galaxy Mini, the HTC Desire, Sony Ericsson’s Xperia X1, the Sanyo Zio, the HTC Wildfire, the Samsung Epic 4G, LG’s Optimus S, the Samsung Galaxy S, the Motorola Droid X, LG’s Optimus One, the Motorola Droid 2 and the HTC Evo 4G.

[Android's Skyrocketing Malware Woes Will Only Get Worse, Experts Say]

The criteria for the list included each smartphone’s market share, how up-to-date and secure its software is and the frequency of the update cycles pushed out by the carriers.

In some cases, as with the Samsung Galaxy Mini and the Sanyo Zio, the average time period between when an Android upgrade was announced by Google and when it was finally stabilized and made available by the carrier for that particular model exceeded 300 days.

“Fifty-six percent of Android phones in the marketplace today are running out-of-date and insecure versions of the Android operating system software,” Bit9 said in the report.

Couple that with a tendency by carriers to focus all their attention on new or upcoming phones, and not on security for older models, and again the Android ecosystem reveals its flaws.

Bit9′s report came the same day as the security firm McAfee’s report on the third quarter of 2011, which said malware targeting Android devices has jumped 37 percent since Q2.

Focus is on future phones, not present problems

“Manufacturers release [Android] phones on 12-18 month cycles. They’re always focused on the next model, not focused at all on fixing security for existing users,” Sverdlove told SecurityNewsDaily. “Something has to change in the ecosystem, not the operating system. Google needs to take control of the operating system.”

Sverdlove said he believes consumers have become more security-conscious about their home computers, but they don’t necessarily adopt that same attitude toward their smartphones.

“Even in non-tech circles, we’ve started to learn safety when we use personal computers,” he said. “Most people know to be wary of strange emails, not to click on strange links, not to download anything in the world just because it has a picture of a cute kitten. I don’t think people realize that an Android [phone] is just another computer, and just as vulnerable.”

Open source has upsides and flaws

Many of the flaws Bit9 identified in Android stem from the fact that Android is an open-source platform, meaning that developers have access to the source code. This can promote innovation and creativity, but, according to Neohapsis security researcher Georgia Weidman, there’s a serious downside.

“Google prides itself on having a more open platform,” Weidman told SecurityNewsDaily. “Many developers, myself included, prefer it for this reason. That said, the open platform, where any app can do anything it wants, opens a lot of doors for malware developers.”

“The openness of the system comes with a price,” Ondrej Krehel, information security officer with Identity Theft 911, told SecurityNewsDaily.

Echoing Weidman, Krehel said open-source projects give developers the chance to collaborate and actually make platforms and applications more secure. But things can get out of hand if there isn’t somebody in place — Google, in this case — to oversee which applications get released and which don’t.

“There still has to be a guardian for the distribution of Android applications,” Krehel said. “The maintainer of the platform has to contribute to its security, because the end users will not be aware.”

Krehel said he believes Google is still learning how to maintain a balance of keeping Android open source and being a “good guardian.”

Revamping Android

Although overhauling Android is something Weidman doesn’t anticipate Google doing in the near future, she said Google could start to increase Android security by changing the permissions that applications request upon installation on customers’ phones.

Weidman said she recently built a simple Android app that requested some common permissions — “the sort of permissions that popular apps such as Facebook and Twitter clients ask for.”

Her proof-of-concept rogue app, called “Evil App,” then “used those permissions to steal personal data from the phone’s user and send it offsite to an attacker,” she said. “If you look at the permissions of the applications on your phone, chances are most of them could be silently spying on you, giving you no indication that anything is wrong. Why not let users pick and choose the permissions they want to allow?”

Weidman holds out hope for Android, and says that with “proper user awareness and more oversight when it comes to apps, I think it could mature into a stronger security model than Apple’s closed-source alternative.”

Krehel suggested Google could start to secure the Android system by increasing customers’ awareness of security threats and instructing them, in “human readable” manuals, on how to institute some simple security configurations on their phones.

Article provided by SecurityNewsDaily, a sister site to Laptopmag.com.


LEAVE A REPLY
Name*
Email* (will not be published)
Website
*Indicates required field
Comments*
Submit Comments

FIND A REVIEW
Laptops
All Product Types Accessories Cars Digital Camcorders Digital Cameras eReaders GPS Laptops MP3 & Video Players Projectors Smartphones Software Storage Tablets / MIDs VoIP Wi-Fi
All Subcategories
All Subcategories All-Purpose Budget Business Desktop Replacement Gaming Multimedia Netbook Nettop Rugged Student Tablet PCs Ultraportable
Brand
Acer Alienware Apple Archos ASUS Averatec BenQ CTL Corp. Dell Digital Storm eMachines Emtec Everex Fujitsu GammaTech Gateway General Dynamics Getac Gigabyte Hercules HP HTC iBuyPower Intel Lenovo MSI Nokia Nvidia OCZ OLPC OQO Origin Panasonic Sager Samsung Sony Sylvania Systemax TabletKiosk Toshiba Verizon Viewsonic Viliv VooDoo Workhorse PC ZT Systems
Minimum Rating
Any Rating Editor's Choice 4.5 Stars 4.0 Stars 3.5 Stars 3.0 Stars
Screen Size
10 11 12 13 14 15 16 17 18 20 4 5 6 7 8 9
Resolution
1024x576 1024x600 1024x768 1200X800 1280 x 720 1280x1024 1280x768 1280x800 1366x678 1366x768 1440x1050 1440x900 1600x768 1600x900 1680x1050 1680x945 1920x1080 1920x1200 800x400 800x480
Weight Range
10.1 - 12.0 pounds 12.1 - 14.0 pounds 14.1 - 16.0 pounds 2 lbs 2 pounds and under 2+ lbs 2.1 - 4.0 pounds 4.1 - 6.0 pounds 6.1 - 8.0 pounds 8.1 - 10.0 pounds Over 16 pounds Under 2 pounds
more options
SUBSCRIBE