Last October, there were reports that researchers at North Carolina State University, found that the then current version of Android was vulnerable to smishing acts. Smishing is a term for “SMS Phishing” wherein an SMS pretending to be from someone in your contact list beckons you to click on a link. This then opens up your phone to invasion, which can lead to theft of your private information, system crashes and smishing messages being sent to your contact list. Google responded promptly to the complaints made by these researchers, and an updated version of Android Jelly Bean 4.2 was made available soon after.
While that makes the problem-solving process seem quite efficient, the real catch arises after the update has been developed. Who will get this update to the consumer is the question all entities involved in the Android ecosystem shy away from answering. This issue is rooted in the fact that Android is the most fragmented smartphone operating system in the world. First, there’s Google, of course. Second, there is a slew of phone makers like Samsung, HTC, Motorola, etc. that produce Android-powered phones. And finally there are the mobile carriers that get these phones to the end user.
Between these entities, the whole security update process takes weeks or even months, and in most cases, it doesn’t get to majority of the users at all. This is quite despicable when compared to its leading competitor iOS. Apple only releases a few updates each year, similar to computer platforms, and most users’ phones are updated with these automatically – without the user even releasing it in some cases. The direness of this situation is highlighted when you consider recent numbers by Google that show that only 1.2 percent of Android’s 500 million consumers are using the latest version of Android that comes with the smishing fix.
According to Xuxian Jiang, the computer science professor that reported the security threat to Google, the smishing threat was more valid in China than in the U.S. Overall, it was not a very potent threat and the number of phones affected did not reach too high. But Android’s lag in getting security patches to users creates the possibility of an easy widespread attack. Unless Google significantly streamlines the security response process, it may pay a hefty cost in the event of a widespread attack.
