Android security holes worry FBI, DHS
Federal government security experts are increasingly uneasy about the threats to law enforcement from using older versions of the mobile OS.
The FBI and the Department of Homeland Security are increasingly aware of the threats that law enforcement officers and officials face at a federal, state, and local level by using older versions of the Android mobile operating system, according to a document obtained by Public Intelligence, a group focused on releasing government information to the masses.
According to the document (PDF) -- marked as unclassified but "for official use only," and designed for police, fire, emergency medical services, and security personnel -- upwards of 44 percent of Android users worldwide are still using Android versions 2.3.3 to 2.3.7, which still contain security vulnerabilities fixed in later versions.
The document, which is a month old but was posted by Public Intelligence late last week, does not state how many US government agencies are using Android, let alone older versions of Android, on their networks.
Android continues to be a "primary target for malware attacks due to its market share and open source architecture," the document states, and an uptick in mobile device use by government staffers "makes it more important than ever to keep mobile [operating systems] patched and up-to-date."
Some highlights from the report:
- 79 percent of mobile malware threats affect Android, while 19 percent target Symbian. Windows Mobile, BlackBerry, iOS, and others all peg in at less than 1 percent each. (The source of the figures is not known.)
- SMS text messages represent "nearly half" of the malicious applications circulating today on older Android operating systems. Users can mitigate by installing Android security suites on their devices.
- Rootkits also pose a massive threat. The DHS/FBI document notes that in late 2011, popular rootkit Carrier IQ was installed on millions of devices, including Apple iPhones (though Apple later removed the software) and dozens of different types of Android devices. These rootkits often go undetected and can log usernames, passwords, and traffic without the user's knowledge -- a serious security risk in a government setting.
- Fake Google Play domains are sites created by cybercriminals, the document notes, which replicate the Android application store to trick users into installing fake or malicious apps. DHS/FBI note that only IT-approved updates should be allowed, hinting that IT department should ensure secure IT policies from back-end mobile device management services.
This story originally posted as "Millions of Android users vulnerable to security threats, say feds" on ZDNet.