In late October, researchers at North Carolina State University alerted Google to a security flaw that could let scam artists send phony text messages to Android phones a practice called smishing that can ensnare consumers in fraud.
Googles security officials replied in minutes, confirming the flaw and promising to correct it. Within days they had incorporated a fix into the latest version of the Android operating system, Jelly Bean 4.2, and made available a security update for earlier versions.
But for most Android phones, the fix never arrived. For many, it never will.
Thats because its not clear which company Google, the smartphone makers or the wireless carriers who sell them bears ultimate responsibility for the costly process of getting security updates to Android devices. Fixes to known security flaws can take many months to reach individual smartphones, if they arrive at all.
The problem, say security experts, has contributed to making the worlds most popular mobile operating system more vulnerable than rivals to hackers, scam artists and a growing universe of malicious software.
Breaches remain more common on traditional computers than on smartphones, which have been engineered to include security features not found on desktop or laptop machines, experts say.
But outdated software can undermine such protections. If there was a major outbreak of malicious software, the fractured nature of the system for delivering updates could dramatically slow efforts to protect information carried on Android phones including documents, passwords, contact lists, pictures, videos, location data and credit card numbers.
The risks are particularly serious for businesses and government agencies, whose increasingly popular bring-your-own device policies have created new potential portals for espionage aimed at secure computer systems.
You have potentially millions of Androids making their way into the work space, accessing confidential documents, said Christopher Soghoian, a former Federal Trade Commission technology expert who now works for the American Civil Liberties Union. Its like a really dry forest, and its just waiting for a match.
Google engineers designed Android to resist hackers and have continually improved it. The company also has worked to purge malicious software from its app store, called Play, minimizing the risk from one possible route of infection.
Weve built the system from Day One to deal with this kind of world, said Hiroshi Lockheimer, vice president of Android engineering. The health of the Android ecosystem is really important to us.
Yet while each new generation of Android delivers improvements that close off newly discovered avenues of attack, the company has struggled to get updated software to smartphones already in the hands of consumers.
The latest version of Android the one with the smishing fix is used by just 1.2 percent of the more than 500 million Android devices worldwide, according to data compiled by Google. The company says it also released a security patch that could repair the flaw in earlier versions of Android, but neither Google nor the wireless carriers could say how many current phones received the patch.
Ars Technica, a news site covering the technology industry, analyzed the update schedules for dozens of the most popular Android smartphones in December and found that most had received only two updates since consumers bought them, sometimes years earlier.
Apples iPhone, the leading competitor to Android smartphones, gets operating system updates several times a year. A similar update schedule is common to desktop and laptop operating systems and other software, with updates happening automatically often with users not even knowing it.
Whats different about the Android line of smartphones is that there are dozens of devices made by various manufacturers, such as Samsung, LG and HTC, that tailor the software and its updates to their own specifications. Then wireless carriers, such as Verizon Wireless, AT&T and Sprint, make their own changes and test each update before sending it to consumers over their wireless networks.
The overall process typically takes months and happens far less frequently than recommended by security experts, who call the diffusion of responsibility among several companies fragmentation. Blame, too, is spread widely, though often focuses on the carriers as the most important choke point.
Supporting five releases of phones is a cost they absolutely dont want to incur, said Dmitri Alperovitch, chief technology officer for CrowdStrike, a security company.
Wireless carriers say they seek to release updates promptly, but they acknowledge that the process generally takes months.
When more than one company is involved in delivering the final product, as is the case with the Android environment, any improvements in the security update process must include all entities involved, said Ed Amoroso, chief security officer for AT&T. Verizon Wireless, the largest wireless carrier, and Samsung, the largest Android device maker, both declined to answer detailed questions and said they deliver updates as quickly as possible. Sprint declined numerous interview requests, referring queries to Google.
Threats spread quickly
But security experts say Google by itself has little power to get faster updates to phones. It founded the Android Update Alliance in 2011, along with carriers and device makers, but the initiative has produced little so far.
The smishing vulnerability so named because it was a version of SMS phishing, meaning it sought to trick users into clicking on malicious link on a phony text message was not nearly that serious, nor was there evidence that it had yet spread widely. Xuxian Jiang, the computer science professor who reported the flaw to Google, said he has heard numerous reports of smishing attacks in China but few in the U.S.
Yet a serious, widespread outbreak could move much faster than the companies involved in updating Android phones are prepared to react, experts say.
They can sweep the world in a few hours, said Kevin Mahaffey, chief technology officer for Lookout, a mobile security firm. Thankfully that hasnt happened on mobile yet. But I do see this as a potentially billion-dollar problem.