The failure of the four main US carriers – AT&T, Verizon, Sprint and T-Mobile – to issue updates and patches to the Android handsets they sell are leaving users vulnerable to hacking attacks, says the American Civil Liberties Union (via ars technica).
Civil liberties advocates have asked the US Federal Trade Commission to take action against the nation’s four major wireless carriers for selling millions of Android smartphones that never, or only rarely, receive updates to patch dangerous security vulnerabilities …
Unlike iOS, where the majority of iPhones are updated automatically over the air, many Android phones never receive an update once sold. Virgin’s Otimus V, for example, is still running Froyo, although parent carrier Sprint updated over a year ago.
“All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices,” Christopher Soghoian, principal technologist and senior policy analyst for the ACLU, wrote in the document. “The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials.”
NQ Mobile’s Security Report (via BGR) recently found that the number of compromised Android devices tripled last year, growing from 10.8 million in 2011 to 32.8 million in 2012. However, it’s important to note that the majority of infected phones are in China, India and Russia:
Users who download software only from the Google Play store, and check reviews before downloading, are unlikely to be at significant risk.