Google’s Android upgrade, known as Android L, promises to address fragmentation and security issues that have long plagued its ubiquitous operating system while raising new concerns.
Currently in developer preview mode, Android L brings speed to any platform it runs on, comes with optimized instructions and a lot of changes that expand Android’s reach to new applications.
“Google is clearly doubling down on the platform and it is seeking to extend itself outside of just the usages that you’re used to,” said ESET North America security researcher Cameron Camp. “And it wants to get into TV. It wants to get into wearable computing. It wants to get into a lot of areas you don’t traditionally think of Android as being a part of.”
Looking to provide users with a more seamless experience across devices, Camps says Google gave Android L “more levers and dials and bells and whistles for developers to access and get into … And that means that there is some larger attack surface that has to be secured,” he said.
Android attracts the lion’s share of security woes by virtue of its popularity and prevalence. But Camp says the problems are not necessarily related to the operating system, but to “what you add on top of it.”
That often includes malicious applications. Symantec Security Response researcher Candid Wueest says users often unknowingly download advertised Trojans, which trick them into installing them despite the warnings against granting permission for the app to install.
“The current Android version allows the user to scan every application that is installed for malware, even the ones sideloaded from external sources,” said Wueest in an email interview. “Unfortunately, most user[s] do not use this feature.”
Mobile Security Dos & Don’ts
- DON’T install apps from unknown or unverified sources
- DO check your permissions before you install an app
- DO use a passcode to lock your mobile device
- DO create regular backups for your mobile data
- DON”T own a mobile device that does not have a locking mechanism
- DON’T own a mobile device that does not have remote-retrieval and tracking
- DON’T own a mobile device that does not have a remote-wipe system
Source: Symantic researcher Candid Wueest; ESET North America researcher Cameron Camp
Another part of the problem is that Google has allowed hardware carriers and original equipment manufacturers or OEMs to tweak its patches and updates in a long, protracted process.
“Many devices use a slightly modified Android version provided by their phone vendor,” said Wueest. “On such devices it can take longer to get the official updates released, which means the phones are exposed to attacks.”
Unlike Apple, which vets the apps arriving in its store and the way they interact on its platform, Google’s open approach “allows attackers to create and spread malware quickly,” he said.
“Most of the malware is hosted on third-party markets not directly controlled by Google,” he said. “Such apps can be advertised with links on social media, making it difficult for Google to remove.”
Even when removed, Wueest says “new variants are created and uploaded again by the attacker.” Readily available toolkits can help attackers create malware and “become part of the cybercrime ecosystem.”
Apple has successfully fended against malware by analyzing every application before it is installed on its iOS platform, said Wueest.
The company controls the process “from start to finish,” says Camp, whereas for Android, this approach “restricts a certain amount of creativity” and “restricts the ability to get into the market in a fast manner – as fast as possible.”
But Apple has not been always immune to security issues, missing what Wueest calls “a few greyware applications with annoying behavior,” which were not malware.
“On the other hand there are the vulnerabilities,” he added. “Last year, 127 vulnerabilities were reported for mobile phone operating systems, 82 percent of which targeted iOS, and only 13 percent for [the] Android system. Fortunately, it is still rare to see mobile malware use vulnerabilities to infect the devices.”
Regular security updates will definitely help keep most mobile phones updated, says Wueest. And Google is “intensifying its work to scan all apps in the official Play store on the device itself, making it more difficult for malware to get installed,” he said.
How much more secure will the expanded Android OS be when it is released in the fall? That remains a concern for Camp.
While attackers will always test the limits and vulnerabilities of new platforms, he says Android L offers so many ways to interface with it, that it begs the question: “does that mean that there are so many ways to scam it?”
“They’ve released a lot of new programming interfaces to Android L,” he said. “And that represents new ways in which they would have to secure and new ways in which scammers would be able to get and study and find out ways to exploit.”