Android, the simmering security shemozzle

Fragmented and slowly-patched, but insanely popular

"They're very scary devices": Android according to Sydney Opera House chief information officer Grant Cresswell. (Stilgherrian/CSO Online)

"They're very scary devices": Android according to Sydney Opera House chief information officer Grant Cresswell. (Stilgherrian/CSO Online)

Even apart from the serious security flaw in HTC Sense and malware that talks to an encrypted blog, to name just two recent issues, a consensus seems to be emerging. Android has serious security problems.

"I think it's quite scary," said Grant Cresswell, chief information officer of the Sydney Opera House, at the launch of Kaspersky Endpoint Protection 8.0 in Sydney last night.

"I like the idea of freedom, but we know freedom brings a price," he said.

"Having played with an Android for some time I actually think they're very scary devices, and for a corporate world we've got to come up with some fairly clear strategies about how you support them, or not support them."

Unlike Apple's complete control over its iOS operating system and the iPhone and iPad hardware it runs on, Android comes in myriad versions, each with three parents. Google for the core system. A hardware manufacturer that adds its own customisations, like HTC Sense. And telecommunications provider that also adds customisations.

Software updates don't happen without the involvement of all three, and traditionally telcos haven't been in the software update business. Vulnerabilities get patched slowly, or not at all.

That Android is an attractive target shouldn't surprise anyone. Some time this month the number of Android activations is expected to reach one million devices per day. According to AVG Technologies' latest Community Powered Threat Report, Android now has almost 50% of the world's smartphone market.

"The hackers will always be where users are," Yuval Ben-Itzhak, AVG's chief technology officer, told CSO Online earlier this week.

"If everyone now is using Android on their phones and downloading the popular games and the popular apps, then surprise surprise! The hackers will be there."

AVG has seen an Android trojan that can record conversations, save them to the device's SD card, and upload them to a server later -- along with SMSs sent and received, and GPS location data.

"It's very much like the PC in the early days," Ben-Itzhak said.

And like PCs, Android devices -- and smartphones generally -- are full of personal information.

"What concerns me," said IBRS information security advisor James Turner, "is the ease with which information can be stolen from these devices."

"These devices are inherently connected, whether it's by Bluetooth, Wi-Fi, 3G or 4G," he told the Kaspersky audience. "People are increasingly going to be doing transactions on their phones with near field communication, storing a lot of personal information on these things."

"For me it's not so much the case of the next SQL Slammer, it's more a case of a piece of malware which is just designed to go out there and just start stealing information from people's devices. And it doesn't have to be big, it doesn't have to be flashy, it can just hit a couple of hundred people."

The result would be "personally devastating for them, highly effective for the attacker, and so localised that the anti-virus companies will never get a chance to look at the thing," Turner said.

And as Cresswell pointed out, smartphones are increasingly becoming the repository for people's passwords -- in an eminently stealable form.

However Nathan Wang, vice president of Kaspersky Lab's technical divisions in the Asia-Pacific region, said the number of malicious applications being written for Android is the key factor, not the number of devices. Here, Android may not necessarily be so vulnerable.

The many varieties of Android make it harder for an attacker to ensure their malicious code will run cleanly on a given device, he said. Kaspersky Lab and, presumably, other security vendors have large quality assurance teams. Malware writers, not so much.

"It's tough for them to write this sort of application," Wang said, "not to mention... how to deliver this kind of stuff to the devices, how to make it download, how to avoid being detected."

Writing the virus or trojan is only the first step. Attackers also have to create a "black" chain to turn the stolen information into money.

But according to AVG, stealing credit card numbers is now passé.

"All the attackers need to do is trick users to provide their phone number and from that point they can get their money with the help of the phone companies, in many cases, they will not even notice it," the company wrote.

Meanwhile, Cresswell is treating Android devices with caution.

"We isolate the devices to their own guest network and that really gives them only one thing, access to the internet. And each other. And effectively they have to come back in through the front door to get anything out of our system," he said.

Stilgherrian's Sydney accommodation was provided by Kaspersky Lab.

Contact Stilgherrian at Stil@stilgherrian.com or follow him on Twitter at @stilgherrian

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securityAndroid

More about AppleAVG (AU/NZ)AVG Technologies AUetworkGoogleHTCIBRSKasperskyKasperskyWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

More videos

Blog Posts