Hackers have discovered a new serious security vulnerability in certain Android smartphones that is not easily or quickly patched because of Android's open and fragmented platform -- per Joseph Menn's report in the FT.
- Specifically an HTC Android browser vulnerability enables a hacker to take broad control of an Android device.
The potential security implications of this are even more serious than they first appear.
- Google's Android operating system is an Open Source software variant, and Open Source design is inherently very supportive of peer-2-peer applications.
- This suggests that Google's fastest-growing mobile operating system is potentially more vulnerable to mass manipulation via zombie botnet attacks than proprietary mobile operating systems that are by design more secure and less promiscuous, i.e. less peer-2-peer friendly.
- Moreover, Google's design priorities are easy access to free applications and speed, with security protections secondary; whereas other mobile operating systems, like Apple's Nokia's and Microsoft's, design security in as a first purpose.
- Furthermore, Google continues to shift primary responsibility for security onto their users. Google's spokesperson: "As always, we advise users to only install applications that they trust" per the FT article.
- This is disturbing circular logic, given that Google broadly and loudly claims users can trust Google generally, which strongly implies that users can trust apps in the Google App Store specifically, but Google's CYA puts the blame on the victim that downloaded a malicious app from Google's App Store.
Why is this so problematic?
If hackers can take control of individual Android phones through the download of a common app, and then users use other social networking apps on the Android phone, the individual secret zombie Android smartphones likely then could be linked together in a peer-2-peer secret mobile zombie botnet.
- This notion is not farfetched at all given that this is basically how Google's own secret "botnet" appears to be secretly crowd-sourcing its WiFi mapping of its mobile location service, in order to compete with SkyHook Wireless, Google's top competitive imperative in its mobile business model.
This mobile botnet vulnerability is especially worrisome in the mobile context because it could be misused by bad actors to create and manipulate "flash mobs," a potentially insidious and dangerous new law enforcement threat where groups can appear immediately out of nowhere, maraud, loot and destroy and just as quickly disperse before law enforcement can react.
This Android vulnerability is also very worrisome because hackers used peer-2-peer social networking apps to steal a Google engineer friend's identity to then spoof the Google engineer to break into that Google's engineer's computer.
- This was how Chinese hackers allegedly hacked into Google and stole Google's entire universal password system called Gaia, per the New York Times.
In sum, this latest reported security vulnerability in Google's Android mobile operating system is a big red flag, because Android is the fastest-growing mobile OS in the world and because it strongly confirms security is not a priority in Google's software design and operation.
- Beware. Security remains Google's Achilles heel.
Previous parts of the "Security is Google's Achilles Heel" Series:
- Part I: "Why security is Google's Achilles heel"
- Part II: "Google values security much less than others do"
- Part III: "Google: "Security is part of our DNA" (Do Not Ask)
- Part IV: "Why Security is Google's Achilles Heel"
- Part V: "Google Apps Security Chief is a magician/mentalist"
- Part VI: "Google-China: Implications for Cybersecurity"
- Part VII: "Did Google Over-React to China Cybersecurity Breach?"
- Part IX: "Google's Titanic Security Flaws"
For even more information, see the Security section of PrecursorBlog's sister site: www.GoogleMonitor.com.