Mobility

How cybercriminals are using Android security bulletins to plan attacks

Monthly security bulletins are issued to make sure Android devices stay patched. But cybercriminals are betting that it won't happen.

androidsecurityhero.jpg
Image: Jack Wallen

I recently interviewed a gentleman, one with a vested interest in Android, and was enlightened on a number of levels. During the interview we hopped onto the thread of security and dove pretty deep into the issue of malware and other Android security issues. Because of this particular aspect of the conversation, my source asked to remain anonymous (trust me, this guy knows his stuff and works directly with a large company with an immediate connection to Android security).

While discussing the Android Security Bulletin, we dove into the dreaded update rabbit hole that led us directly to the frustration that is users not checking for or applying updates. During this part of the conversation, my interviewee interjected something that should be seen as a chilling realization to not only end-users, but Google, every OEM that manufactures an Android device, and every carrier that sells Android devices to consumers.

Hold on a minute

Before I reveal this rather ominous reason for updates, I want to make sure you're not assuming this is yet another pundit crying to the heavens that "Android is nothing more than a playground for malware!" It's not. Yes, it seems there are daily reports of new malware discovered, and some of those can even affect end users (while others fall more in the proof of concept category). But the truth of the matter is, that's why updates are released, and why end users should take those updates (both on the platform- and the app-level) seriously.

Let me take a moment to say something that everyone needs to understand:

Updates are not just for adding new features.

That's right. Although we have created a culture of updates/upgrades only being important when they bring new and exciting features to the platforms, it's time to rethink that approach. All updates are important—especially those that patch vulnerabilities. This is why the Android Security Bulletin is an important tool. From that monthly report, it is possible to discern what is currently affecting the Android platform (as well as what has already been patched). Although very useful, that same bulletin can also be misleading to consumers who aren't versed in the ways of bug fixes and patches.

And that leads me to the issue at hand—the one with the ominous Theremin music playing in the background and the b-horror movie credits ready to roll.

The ne'er do wells

This is where my source insisted on repeating the "you didn't hear this from me" mantra (and why the source is remaining anonymous). Those security bulletins? Guess who reads them. If you said coders of malicious software, you'd be correct. You see, those that create malware read the bulletins to find out what ails the Android platform and then, in turn, craft their malware to take advantage of those flaws.

And this is where it gets really nasty.

Those malicious coders bank on the fact that users won't bother updating their devices. To that end, their malware can more easily make it onto those unpatched devices. For that reason, and that reason alone, you should check for (and apply) updates on a daily basis. Make a habit of it and do not forget. Check for updates on your device operating system and for your installed apps as well.

And don't consider this to be yet another pundit baking a story where there is none. This information comes to me from a reputable source working with a reputable company (one that happens to have a vested interest in Android and its security). And if it sounds like I'm being a bit of a broken record, I am. Why? Because this is one of those pieces of advice that cannot, in any way, be issued enough. Being lazy with updates leaves the end user open for malicious code to enter the system.

Don't panic

Although this might seem we all have reason to panic, that's not the case. So long as you are checking for and applying updates on a daily basis, you should be good to go. And when Android "O" releases (with the real-time scanner baked in), the platform will enjoy a much stronger defense against malicious code. However, don't assume, once that real-time scanner is in place, you can go back to ignoring updates. Considering writers of malware are counting on end user laziness, this is one mobile habit you need to get into and keep.

Cue the music and roll credits.

Also see

About Jack Wallen

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website jackwallen.com.

Editor's Picks

Free Newsletters, In your Inbox