Last year, Google bought Motorola Mobility, a leading manufacturer of mobile devices, which may eventually lead to faster updates for that company's products. Google's record of updating software on its own line of phones and tablets, called Nexus and produced in conjunction with other manufacturers, is better than when phone makers simply adopt the Android system, which Google makes and distributes for free.
The extent of risk to smartphones is a subject of intense debate among security experts. Alperovitch, the expert from Crowdstrike, said most consumers for now face little danger so long as they buy apps through Google's store and don't patronise the growing number of third-party stores, which have become popular in China and beyond.
Other experts say the risk is real and growing for all Android users. McAfee, the anti-virus company, says it has documented an explosion in the amount of malicious software designed to target the operating system, which runs on three out of four new smartphones worldwide. Some malicious software steals personal information, while others can initiate phony charges that can appear — and often are not detected — on the mobile phone bills of consumers.
Trend Micro, another security company, has reported on the spread of Android-based botnets, which could allow remote users to take control of thousands or even millions of devices at a time.
For those looking to hack into smartphones, there are many potential entryways: browsers, text messages, emails, mobile signals, wi-fi signals, Bluetooth connections and, for the latest smartphones, Near Field Communication radios. Some powerful spying software, typically used by governments, allows hackers to switch on cameras or microphones, to watch or listen to smartphone users.
"Now they can hack your life, your physical life, not just your cyber life," said Tom Kellermann, a Trend Micro vice president and member of President Barack Obama's Commission on Cyber-security.
Such intrusions are difficult and time-consuming, making them unlikely for ordinary users. But security experts warn such tactics could be used against the most valuable targets, such as business executives or senior government officials, especially if they are running outdated software.
"It's essentially the weak link in the chain," said Pat Calhoun, a senior vice president at McAfee, a maker of security software. "The cybercriminals have determined that if they want to get into the enterprise, the best way is through the mobile device."
The "smishing" vulnerability — so named because it was a version of "SMS phishing," meaning it sought to trick users into clicking on malicious link on a phony text message — was not nearly that serious, nor was there evidence that it had yet spread widely. Xuxian Jiang, the computer science professor who reported the flaw to Google, said he has heard numerous reports of "smishing" attacks in China but few in the United States.
Sign up for Computerworld eNewsletters.