Nothing new here, but its nice to see government agencies recognize the problem. Perhaps users and consumers might see some relieve from outdated and insecure devices because carriers and OEMs want the consumer to buy a new device even while under an existing contract. I especially like the fact that the agencies recognize CarrierIQ, and the like as rootkits and spyware.
http://news.cnet.com/8301-1009_3-57600105-83/android-security-holes-worry-fbi-dhs/ The FBI and the Department of Homeland Security are increasingly aware of the threats that law enforcement officers and officials face at a federal, state, and local level by using older versions of the Android mobile operating system, according to a document obtained by Public Intelligence, a group focused on releasing government information to the masses. According to the document (http://info.publicintelligence.net/DHS-FBI-AndroidThreats.pdf) -- marked as unclassified but "for official use only," and designed for police, fire, emergency medical services, and security personnel -- upwards of 44 percent of Android users worldwide are still using Android versions 2.3.3 to 2.3.7, which still contain security vulnerabilities fixed in later versions. ... Some highlights from the report: * 79 percent of mobile malware threats affect Android, while 19 percent target Symbian. Windows Mobile, BlackBerry, iOS, and others all peg in at less than 1 percent each. (The source of the figures is not known.) * SMS text messages represent "nearly half" of the malicious applications circulating today on older Android operating systems. Users can mitigate by installing Android security suites on their devices. * Rootkits also pose a massive threat. The DHS/FBI document notes that in late 2011, popular rootkit Carrier IQ was installed on millions of devices, including Apple iPhones (though Apple later removed the software) and dozens of different types of Android devices. These rootkits often go undetected and can log usernames, passwords, and traffic without the user's knowledge -- a serious security risk in a government setting. * Fake Google Play domains are sites created by cybercriminals, the document notes, which replicate the Android application store to trick users into installing fake or malicious apps. DHS/FBI note that only IT-approved updates should be allowed, hinting that IT department should ensure secure IT policies from back-end mobile device management services. -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to android-security-discuss+unsubscr...@googlegroups.com. To post to this group, send email to android-security-discuss@googlegroups.com. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/groups/opt_out.
