Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

In mid-February, an unknown developer posted a number of applications for the Android smart phone—titles including Bowling Time, Super Guitar Solo, and Dice Roller—to Google’s Android Market.

Two weeks later, a blogger discovered that these applications were actually Trojan horses—they contained malicious code dubbed DroidDream that was designed to infect a user’s Android phone. The attack creates a backdoor into the victim’s smart phone, allowing the attacker to install additional malicious software on the device.

On March 1, Google removed the Trojan applications; a total of 58 were found to contain the DroidDream malware. Google also said it had determined that approximately 260,000 Android phones had been infected, although no personal information was compromised. Google then used a feature built into Android that allowed it to remotely remove the rogue applications from infected devices.

Yet even now, as many as half of all Android users continue to be vulnerable to a software bug that DroidDream exploited. “Google’s fix removes the actual packages that exploited the flaw, but doesn’t fix the underlying vulnerability,” says Kevin Mahaffey, chief technology officer at mobile security firm Lookout, which has analyzed the malware.

With Android, each mobile phone company has its own build of the Android operating system so that it can include its own user interface, graphics, and branding. Although Google released an updated version of Android that fixed the vulnerability soon after it was discovered, at least 42 percent of phones run an older version that is still vulnerable, according to data available on the Android developer site.

Fixing phones properly requires hardware makers to create their own updates incorporating Google’s fix; they test those updates and pass them on to carriers, who also test the fixes before pushing them out to customers. Apps for Android devices, including ones developed by Google, could be updated through the Android Market, but system software has to be updated through the carrier’s channel.

“This is absolutely a problem—it is not timely enough,” says Zach Lanier, a security consultant with the mobile-security services firm Intrepidus Group. Lanier adds that many smart phones may never see an update because risk-adverse carriers are cautious about pushing software patches that could affect their networks. Manufacturers also have to deal with dozens of phone models, and testing the software against all those devices is labor-intensive. Google would not comment on Android security, but the company says it is working with phone manufacturers and carriers to fix the issues.

0 comments about this story. Start the discussion »

Credit: Lookout

Tagged: Communications, security, iPhone, Android, mobile phones, mobile devices, hackers

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me