Civil liberties advocates have asked the US Federal Trade Commission to take action against the nation's four major wireless carriers for selling millions of Android smartphones that never, or only rarely, receive updates to patch dangerous security vulnerabilities.

The request for investigation and complaint for injunctive relief was filed Tuesday by the American Civil Liberties Union against AT&T, Verizon Wireless, Sprint Nextel, and T-Mobile USA. The majority of phones that the carriers sell run Google's Android operating system and rarely receive software updates, the 16-page document stated. It went on to allege that the practice violates provisions of the Federal Trade Commission Act barring deceptive and unfair business practices, since the carriers don't disclose that the failure to provide updates in a timely manner puts customers at greater risk of hacking attacks. Among other things, the filing seeks an order allowing customers to terminate contracts that cover a phone that's no longer eligible to receive updates.

"All four of the major wireless carriers consistently fail to provide consumers with available security updates to repair known security vulnerabilities in the software operating on mobile devices," Christopher Soghoian, principal technologist and senior policy analyst for the ACLU, wrote in the document. "The wireless carriers have failed to warn consumers that the smartphones sold to them are defective and that they are running vulnerable operating system and browser software. The delivery of software updates to consumers is not just an industry best practice, but is in fact a basic requirement for companies selling computing devices that they know will be used to store sensitive information, such as intimate photographs, e-mail, instant messages, and online banking credentials."

As Ars Associate Writer Casey Johnston reported in December, owners of Android handsets routinely experience lengthy waits to receive Android updates, sometimes as long as 15 months after the introduction of a particular model. Johnston's in-depth survey found that all four of the carriers sold "orphaned" devices, meaning they didn't receive a single security or feature update after they came on the market. The ACLU brief cited the Ars article and went on to say carriers should be required to disclose the security risks that arise when phones don't run up-to-date apps and OS software.

"The wireless carriers have failed to warn consumers that the smartphones sold to them are defective, that they are running vulnerable software, and that other smartphones are available that receive regular, prompt updates to which consumers could switch," the complaint stated. "The practices of the major wireless carriers alleged herein as they relate to the poor security of the smartphones sold to consumers constitute deceptive and unfair business practices subject to review by the FTC under section 5 of The Federal Trade Commission Act."

Some of named carriers defended themselves.

"We are known for our rigorous testing protocols which lead the wireless industry, and we thoroughly test every update before delivering it to customers," a statement issued by Verizon said. "We work closely with our OEM partners and provide mandatory updates to devices as quickly as possible, giving attention and priority to ensuring a good and secure customer experience."

A spokesman from Sprint wrote: "Sprint follows industry-standard best practices designed to protect its customers."

Officials of AT&T declined to comment. T-Mobile representatives didn't respond to a message seeking comment for this article.

The FTC petition highlights one of the chief disadvantages of the Android OS, particularly when compared with Apple's iOS platform. Once Google releases an update that fixes critical security updates or adds new features, the code is usually then made available to individual phone manufacturers so they can customize it for each handset model. That modified code is then forwarded to carriers so they can optimize it for their particular wireless network. Frequently, the process results in long delays between the time an Android update is first released by Google and when it's available for a given handset. In many cases, carriers simply stop offering updates for a model. The original Motorola Droid sold by Verizon, for instance, never progressed beyond version 2.2.3 of Android, a practice that exposed customers who relied on the device to a variety of publicly known vulnerabilities that attackers can exploit to take full control of the handset.

Privilege escalation

Security experts said the proliferation of unpatched handsets opens millions of owners to hacks that wouldn't be possible if their smartphones were running more up-to-date versions of Android. The most common types of attacks on the mobile OS are launched by malicious apps exploiting vulnerabilities that escalate privileges, allowing the apps to access address books or other sensitive resources that by design are supposed to be off-limits.

"Privilege escalation vulnerabilities are commonly exploited by malicious Android apps, so that attackers can pop out of the Android 'sandbox' and gain full control over the device," Jon Oberheide, a researcher specializing in mobile security and the CTO of Duo Security, told Ars. "Since these patches are often rolled out months and years after the vulnerabilities are published, attackers can simply roll off-the-shelf exploits into their malicious apps. It doesn't require any significant level of expertise or sophistication to incorporate such exploits."

Sean Sullivan, a researcher and security advisor at antivirus provider F-Secure, said the most recent two versions of Android provide a variety of user-interface protections that are aimed at curbing some of the most common attacks targeting the mobile OS. Android 4.2, for instance, requires apps to more explicitly seek permission before being able to send text messages, a measure that thwarts malware designed to surreptitiously rack up charges to pricey services.

"Malware needs a stable end-point install base more than does legitimate software services," Sullivan said. "This fragmented market of Android's simply lengthens the time which it takes to wipe the slate clean."

According to Google data, only two percent of Android devices use the latest version of the mobile OS. More than 40 percent use version 3.2 or earlier. Version 3.2, aka Honeycomb, was released in July of 2011 and contains critical security bugs that have been fixed in later updates. An earlier, but still recent version, also curbs abusive apps that send notifications containing spam.

People in the US who want an Android phone that can receive updates promptly must choose a Google-managed device such as the Nexus 4. Security updates for these handsets come directly from Google, rather from wireless carriers.

The ACLU filing is a request that the FTC investigate the carriers along with factual and legal support for the argument that the four carriers aren't complying with US law. The commission isn't required to take any action in response. In the event FTC staff members launch an investigation, it could be months or even years for it to become public.