The American Civil Liberties Union has filed a complaint with the Federal Trade Commission alleging that the major wireless carriers’ failure to provide updates to consumers using non-Google-managed Android phones is a deceptive and unfair business practice.
The ACLU stated all four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices and have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software.
The organization requested that the FTC investigate the major wireless carriers and compel them to warn all subscribers using carrier-supplied Android smartphones with known, unpatched security vulnerabilities about the existence and severity of the vulnerabilities, as well as any reasonable steps those consumers can take to protect themselves, including purchasing a different device.
It is an “accepted norm” in the software industry for companies to provide regular, prompt security updates to their customers, according to the complaint’s co-authors, Christopher Soghoian, principal technologist and senior policy analyst for the ACLU’s Speech, Privacy and Technology Project, and Ben Wizner, the project’s director.
The authors cited Microsoft, which distributes automatic security updates to Windows PCs, regardless of the manufacturer or place of purchase, and Apple, which distributes security updates directly to Macintosh computers and iOS mobile devices such as the iPhone and iPad regardless of the place of purchase or the wireless carrier used, as examples of this.
While Google-managed Nexus devices receive software updates directly from Google, the complaint points out non-Google-managed Nexus devices do not, and cannot receive OS updates without the participation and approval of the wireless carrier. In this case, non-Google-managed Nexus devices and all other Android smartphones receive OS updates only when they are made available by the device manufacturer or the wireless carrier that sold the device.
“Widely distributed Android malware has exploited known security vulnerabilities in the Android operating system for which fixes from Google existed, but which the vast majority of consumer devices had not received at the time of infection,” the complaint stated. “A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers’ smartphones by the wireless carriers and their handset manufacturer partners.”
The filing comes one day after security firm Symantec released its latest Internet Security Threat Report (ISTR), which revealed a 42 percent surge during 2012 in targeted attacks, compared with the prior year’s level. The report indicated that consumers remain vulnerable to ransomware and mobile threats, particularly on the Android mobile OS. Android’s market share, its open platform and the multiple distribution methods available to distribute malicious apps make it what Symantec called the “go-to platform” for attackers.
Another report by NQ Mobile, which was released April 15, found nearly 95 percent of all mobile malware discovered in 2012 targeted Android. More than 32.8 million Android devices were infected in 2012, compared with 10.8 million in 2011, an increase of more than 200 percent. In addition, in February of this year, a new type of mobile malware was discovered that could jump from an Android device to infect a PC when they were connected through the USB port.