Skip to Content

Securing All Androids Proves Tricky

The variety of devices running Google’s mobile OS on different networks makes security more complex.
March 17, 2011

In mid-February, an unknown developer posted a number of applications for the Android smart phone—titles including Bowling Time, Super Guitar Solo, and Dice Roller—to Google’s Android Market.

Bad apps: Smart-phone software from Lookout recognizes apps carrying DroidDream as malicious

Two weeks later, a blogger discovered that these applications were actually Trojan horses—they contained malicious code dubbed DroidDream that was designed to infect a user’s Android phone. The attack creates a backdoor into the victim’s smart phone, allowing the attacker to install additional malicious software on the device.

On March 1, Google removed the Trojan applications; a total of 58 were found to contain the DroidDream malware. Google also said it had determined that approximately 260,000 Android phones had been infected, although no personal information was compromised. Google then used a feature built into Android that allowed it to remotely remove the rogue applications from infected devices.

Yet even now, as many as half of all Android users continue to be vulnerable to a software bug that DroidDream exploited. “Google’s fix removes the actual packages that exploited the flaw, but doesn’t fix the underlying vulnerability,” says Kevin Mahaffey, chief technology officer at mobile security firm Lookout, which has analyzed the malware.

With Android, each mobile phone company has its own build of the Android operating system so that it can include its own user interface, graphics, and branding. Although Google released an updated version of Android that fixed the vulnerability soon after it was discovered, at least 42 percent of phones run an older version that is still vulnerable, according to data available on the Android developer site.

Fixing phones properly requires hardware makers to create their own updates incorporating Google’s fix; they test those updates and pass them on to carriers, who also test the fixes before pushing them out to customers. Apps for Android devices, including ones developed by Google, could be updated through the Android Market, but system software has to be updated through the carrier’s channel.

“This is absolutely a problem—it is not timely enough,” says Zach Lanier, a security consultant with the mobile-security services firm Intrepidus Group. Lanier adds that many smart phones may never see an update because risk-adverse carriers are cautious about pushing software patches that could affect their networks. Manufacturers also have to deal with dozens of phone models, and testing the software against all those devices is labor-intensive. Google would not comment on Android security, but the company says it is working with phone manufacturers and carriers to fix the issues.

In the personal computer industry, software makers generally release fixes more quickly. Automated software updates have become necessary features of applications and operating systems, and are typically applied frequently. As a result, PC and Mac users can expect to have issues fixed on their systems in 30 days on average, according to research by security firm Qualys.

Apple vets iPhone applications before making them available through the App Store—which Google does not do with the Android Market. But security fixes for the iPhone are also implemented more quickly because Apple does not rely on carriers to distribute security fixes for the operating system or for applications.”[Apple] doesn’t have to deal with a bunch of devices,” says Lanier. “Their walled garden gives them the control to react more quickly.”

“From a security standpoint, the more automated this stuff is, the greater the penetration of the patching will be and the better off everyone will be,” says Tom Cross, a security researcher with IBM.

Hackers are turning to methods that were originally developed to allow phone users to avoid restrictions imposed by carriers. This practice, known as “jailbreaking,” lets iPhone and Android users give their devices new functionality—such as turning it into a mobile Wi-Fi hotspot—without paying extra to the carrier.”The place where we are seeing mature reliable exploit code being disseminated are for vulnerabilities that people are using to jailbreak their phones,” says Cross. “Those exploits can be used for malicious purposes.”

Keep Reading

Most Popular

DeepMind’s cofounder: Generative AI is just a phase. What’s next is interactive AI.

“This is a profound moment in the history of technology,” says Mustafa Suleyman.

What to know about this autumn’s covid vaccines

New variants will pose a challenge, but early signs suggest the shots will still boost antibody responses.

Human-plus-AI solutions mitigate security threats

With the right human oversight, emerging technologies like artificial intelligence can help keep business and customer data secure

Next slide, please: A brief history of the corporate presentation

From million-dollar slide shows to Steve Jobs’s introduction of the iPhone, a bit of show business never hurt plain old business.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.