The next shoe has fallen in an effort to force wireless carriers and handset makers to provide regular security updates to Android mobile devices. The American Civil Liberties Union filed a complaint this week with the U.S. Federal Trade Commission accusing four leading carriers of deceptive business practices and knowingly selling defective phones to consumers and businesses.

ACLU principal technologist and senior policy analyst Christopher Soghoian brought the issue to light earlier this year the Kaspersky Lab Security Analyst Summit where he said millions of Android devices were multiple versions in arrears and vulnerable to not only attacks on their personal digital information, but potentially physical attack as well.

In the complaint written by Soghoian, the ACLU asks the FTC to investigate Verizon, AT&T, TMobile and Sprint Nextel, adding that the carriers’ reluctance to patch security vulnerabilities in Android phones is a deceptive and unfair business practice. Further, the ACLU requested that the FTC force carriers to warn customers about unpatched vulnerabilities, allow customers with vulnerable phones to escape their contracts without early termination penalties, and provide that customers may exchange at no cost their phones for another that receives regular security updates, or return the phone for a full refund.

The FTC came down hard on mobile hardware manufacturer HTC in late February, when a settlement was reached after a complaint was filed against HTC America charging them with putting the security and privacy of customers at risk by failing to provide regular security patches to Android devices. HTC, at significant costs, will have to not only develop at release patches, but establish a program that injects security into its development processes, submit to security assessments for 20 years and provide adequate security training for its developers.

It’s hard to tell what happens next with the ACLU complaint, Soghoian said.

“Now we wait. If the FTC decides to investigate, we won’t know about it until the investigation is over and a settlement is reached,” he said. “That could take a year or two. That is frustrating for outsiders, but that is just how the FTC does business.”

Threatpost reached out to all four carriers in question for comment. AT&T and Sprint Nextel never replied. TMobile spokesperson Glenn Zaccara provided a statement to Threatpost that said the company provides regular security updates to Android customers.

“We provide regular and frequent OS updates as well as maintenance releases for a variety of improvements, including security related improvements,” Zaccara said, adding that the most recent OS upgrades provided to customers were sent out April 8 when Samsung Galaxy S II and Samsung Galaxy Tab 2 users were upgraded to Jellybean (Android 4.1.2).

Android 4.1.2 was released by Google last Oct. 9, more than a month before Google released Android 4.2; 4.2.2 was released Feb. 11, meaning that current users remain releases behind.

“So in response to our complaint about slow updates, T-Mobile is citing a recent software update for 2 particular handsets, enabling users to upgrade to a version of Android that was released by Google in October of 2012,” Soghoian said. “How exactly does this make T-Mobile look good?”

Ars Technica did a detailed study on Android handset updates, and the numbers aren’t pretty for the four carriers in question here, as well as for a number of handset makers. Verizon, AT&T and TMobile sometimes took up to 13 months to provide updates, while many models from all four carriers never receive a second update.

A Verizon statement said: “We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience. We will review the complaint when it is filed with the FTC.”

The ACLU complaint is 17 pages long and goes into detail on the influence carriers have in terms of which features manufacturers are to include in smartphones, including carrier-specific apps and the removal of certain features, such as tethering capabilities, that would threaten the carriers’ revenue stream, the complaint said.

For context, the complaint cited numbers from ComScore Reports that 53 percent of smartphones used by consumers are Android devices, and that 70 percent of devices sold in the fourth quarter of 2012 were Android based. In addition, the complaint said that Google statistics show only two percent of Android devices are running the latest version of the OS, 4.2.x. Meanwhile, Android 2.3 (Gingerbread), released in 2011, is on 40 percent of Android devices, according to Google’s developer dashboard.

“The slow rate of adoption of the most recent versions of Android does not reflect a failure by consumers to seek out and install operating system updates,” Soghoian wrote in the complaint. “Instead, it reflects the fact that for most Android smartphones in use, updates to the most recent version of the operating system simply have not been made available for consumers to install.”

Android malware, meanwhile, is an extraordinary problem. Research done by Kaspersky Lab indicates that 99 percent of mobile malware targets Android because of its open source nature and the ease of which attackers can get malicious applications up on the Google Play store. The level of vetting, for example, does not match that of Apple’s App Store.

“Widely distributed Android malware has exploited known security vulnerabilities in the Android operating system for which fixes from Google existed, but which the vast majority of consumer devices had not received at the time of infection,” the complaint said. “The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch. “

Categories: Mobile Security