Android, the simmering security shemozzle

Fragmented and slowly-patched, but insanely popular

"They're very scary devices": Android according to Sydney Opera House chief information officer Grant Cresswell. (Stilgherrian/CSO Online)

"They're very scary devices": Android according to Sydney Opera House chief information officer Grant Cresswell. (Stilgherrian/CSO Online)

Even apart from the serious security flaw in HTC Sense and malware that talks to an encrypted blog, to name just two recent issues, a consensus seems to be emerging. Android has serious security problems.

"I think it's quite scary," said Grant Cresswell, chief information officer of the Sydney Opera House, at the launch of Kaspersky Endpoint Protection 8.0 in Sydney last night.

"I like the idea of freedom, but we know freedom brings a price," he said.

"Having played with an Android for some time I actually think they're very scary devices, and for a corporate world we've got to come up with some fairly clear strategies about how you support them, or not support them."

Unlike Apple's complete control over its iOS operating system and the iPhone and iPad hardware it runs on, Android comes in myriad versions, each with three parents. Google for the core system. A hardware manufacturer that adds its own customisations, like HTC Sense. And telecommunications provider that also adds customisations.

Software updates don't happen without the involvement of all three, and traditionally telcos haven't been in the software update business. Vulnerabilities get patched slowly, or not at all.

That Android is an attractive target shouldn't surprise anyone. Some time this month the number of Android activations is expected to reach one million devices per day. According to AVG Technologies' latest Community Powered Threat Report, Android now has almost 50% of the world's smartphone market.

"The hackers will always be where users are," Yuval Ben-Itzhak, AVG's chief technology officer, told CSO Online earlier this week.

"If everyone now is using Android on their phones and downloading the popular games and the popular apps, then surprise surprise! The hackers will be there."

AVG has seen an Android trojan that can record conversations, save them to the device's SD card, and upload them to a server later -- along with SMSs sent and received, and GPS location data.

"It's very much like the PC in the early days," Ben-Itzhak said.

And like PCs, Android devices -- and smartphones generally -- are full of personal information.

"What concerns me," said IBRS information security advisor James Turner, "is the ease with which information can be stolen from these devices."

"These devices are inherently connected, whether it's by Bluetooth, Wi-Fi, 3G or 4G," he told the Kaspersky audience. "People are increasingly going to be doing transactions on their phones with near field communication, storing a lot of personal information on these things."

"For me it's not so much the case of the next SQL Slammer, it's more a case of a piece of malware which is just designed to go out there and just start stealing information from people's devices. And it doesn't have to be big, it doesn't have to be flashy, it can just hit a couple of hundred people."

The result would be "personally devastating for them, highly effective for the attacker, and so localised that the anti-virus companies will never get a chance to look at the thing," Turner said.

And as Cresswell pointed out, smartphones are increasingly becoming the repository for people's passwords -- in an eminently stealable form.

However Nathan Wang, vice president of Kaspersky Lab's technical divisions in the Asia-Pacific region, said the number of malicious applications being written for Android is the key factor, not the number of devices. Here, Android may not necessarily be so vulnerable.

The many varieties of Android make it harder for an attacker to ensure their malicious code will run cleanly on a given device, he said. Kaspersky Lab and, presumably, other security vendors have large quality assurance teams. Malware writers, not so much.

"It's tough for them to write this sort of application," Wang said, "not to mention... how to deliver this kind of stuff to the devices, how to make it download, how to avoid being detected."

Writing the virus or trojan is only the first step. Attackers also have to create a "black" chain to turn the stolen information into money.

But according to AVG, stealing credit card numbers is now passé.

"All the attackers need to do is trick users to provide their phone number and from that point they can get their money with the help of the phone companies, in many cases, they will not even notice it," the company wrote.

Meanwhile, Cresswell is treating Android devices with caution.

"We isolate the devices to their own guest network and that really gives them only one thing, access to the internet. And each other. And effectively they have to come back in through the front door to get anything out of our system," he said.

Stilgherrian's Sydney accommodation was provided by Kaspersky Lab.

Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile securityAndroid

More about AppleAVG (AU/NZ)AVG Technologies AUetworkGoogleHTCIBRSKasperskyKasperskyWang

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Stilgherrian

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place