The Department of Homeland Security and the FBI are warning police and fire departments as well as emergency medical service providers and other security personnel that out-of-date Android devices pose a serious security risk to those organizations. The warning came via an unclassified memo distributed to those groups and obtained by the transparency advocates at Public Intelligence.
The bulletin – issued by the DHS and FBI in late July and made public by Public Intelligence over the weekend – cites unspecified industry statistics claiming that 44 percent of Android users are running the out-of-date Gingerbread version of the operating system. Gingerbread was released in 2011. However, Google monitors the platform version of every Android devices that visits the Google Play store, and the figures they’ve collected over the most recent 14-day period (ending August 1) indicate that 37.9 percent of visitors are running Gingerbread or earlier versions of the mobile operating system.
Regardless of which is the accurate number, both are significant given that Android is the most widely used mobile operating system in the world. In fact, the latest survey from the technology research group Gartner claims that Android’s mobile operating system commanded 79 percent of the mobile market-share in the second quarter of this year. Apple’s iOS had the second biggest share, accounting for just 14.2 percent of that market.
The reason for the warning is that the Gingerbread variety of the Android operating system contains a slew of vulnerabilities fixed in later versions and is therefore vulnerable to numerous threats. The bulletin seems to indicate that federal law enforcement agencies are concerned that employees of local law enforcement and other emergency response departments are exposing critical networks to unnecessary risk by failing to update their personal devices. Corporations have been dealing with this problem for years, as bring-your-own-device policies are the ever-increasing norm at offices around the world.
Among the threats, according to the joint DHS-FBI roll call release, are premium-rate SMS Trojans, rootkits, and fake Google Play domains that attackers use to trick users into installing malicious applications. The bulletin urges users to update devices as early and as often as possible, to run an “Android security suite,” and to make sure they only download applications from the official Google Play store and avoid third party market places.
The bulletin contains a pie chart illustrating that the lion’s share of mobile malware threats targeting Android. According to information prepared and provided by the office of Intelligence and Analysis’s Cyber Intelligence Analysis Division, the National Protection and Programs Directorate of the US Computer Readiness Team and the FBI’s Directorate of Intelligence, 79 percent of mobile malware targets Android, 17 percent targets Symbian, 0.7 percent targets iOS, and 0.3 percent targets Windows Mobile and Blackberry respectively. The release does not supply specifics beyond that.