On Friday, a blog at Check Point Software Technologies’ website said that its engineers had found severe infections on 36 Android devices belonging to two unnamed telecommunication and multinational companies. The post pointed out that this is not unusual, but that the striking element is that the infections came preinstalled on the devices.
Investigations found that the malware did not originate with the vendor, but was introduced in the supply chain. In six cases, the malware was added into the device ROM using system privileges, which means that users couldn’t remove it and the devices needed to be “reflashed” to be safely utilized. The post describes the malware and gives two examples.
We’ve long had been a debate about Android security. However, this usually stems from the differences between Android, which is an open system, and the more controllable Apple iOS model. The idea that supply chains to corporate customers are not secure is a new and distressing take on security vulnerabilities.
A mobile security update from Yahoo Finance posted before the release of the Check Point results suggested that the biggest danger to Android users remains the downloading of apps from third-party app stores. The piece says that Google Play Store does a good job of screening apps, though the tighter relationship between iOS and its apps means that there are more lurking dangers in Google, even if the apps are authorized.
The bigger concern appears to be the legion of apps that have been downloaded that have since been found to be insecure. The problem is simple: People don’t know (or don’t care) and the apps continue to be used. The story links to a McAfee report that calls for notification of people registered for an app when it is taken out of the store due to security issues.
Google’s overall approach to security was explained last month at eWeek. The biggest issue, as indicated by the Yahoo Finance story, is that the many versions of Android emerged at different times in the evolution of security. Older versions of Android are still in the field and must be supported. The OS is also used on many different brands and models of smartphone. Both factors – the shortcomings of legacy security approaches and the breadth of Android’s use – make security a very significant challenge.
The story featured comments made at the RSA Conference by Adrian Ludwig, the director of Android Security at Google:
Ludwig took specific aim at the issue of malware apps on Android. According to Google's latest data, only 0.69 percent of all Android devices have some form of potentially harmful app, he said. Going a level deeper, for devices that only get apps from the official Google Play app store, Ludwig estimates that at most only 0.05 percent of such Android devices have ever encountered some form of potentially harmful app.
Android security is clearly a constant challenge. That challenge can get infinitely greater if bad actors are playing around in the company’s supply chain.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.