A complaint filed with the Federal Trade Commission accuses wireless phone carriers of leaving millions of Android phone users vulnerable to attack from hackers by failing to distribute fixes for known security flaws in a timely manner.

The American Civil Liberties Union asked the FTC on Wednesday to investigate AT&T, Verizon Wireless, Sprint Nextel and T-Mobile for unfair and deceptive business practices stemming from their failure to provide available security patches for the Android operating system running on phones and for failing to inform consumers that their systems are unpatched and vulnerable to attack.

"A significant number of consumers are using smartphones running a version of the Android operating system with known, exploitable security vulnerabilities for which fixes have been published by Google, but have not been distributed to consumers’ smartphones by the wireless carriers and their handset manufacturer partners," the ACLU writes in its 16-page complaint (.pdf). "There are millions of vulnerable Android phones in the hands of consumers today because wireless phone carriers and phone hardware makers refuse to transmit existing software security fixes to phones in a timely manner, according to a security researcher."

Unlike phones made by Apple, which controls the distribution of software updates to its phones, Android users can’t get an update to their phones without a carrier’s intervention. Instead, they have to obtain updates from servers operated by the carriers. But the wireless carriers and hardware makers can take a year or longer to distribute new firmware updates containing security fixes for phones.

“When Apple decides that it’s going to give a security update to consumers or a feature update, every consumer who plugs their phone into their computer gets the update whether or not their respective regional carrier likes it,” Chris Soghoian principal technologist and senior policy analyst with the ACLU, told an audience at the Kaspersky Security Analyst Summit earlier this year. But with Android, “you get updates when the carrier wants it and when the hardware manufacturer wants it, and usually that’s not very often.”

Although Google is quick to fix vulnerabilities in its software when it finds out about them, there is a dangerous lag in getting those fixes to Android users, he noted.

Research released by DuoSecurity last September found that half of sampled Android devices had unfixed vulnerabilities, even though there were patches from Google that were available for them. There are over 100 million Android devices deployed worldwide.

Hardware makers are slow to provide fixes to vulnerabilities because it’s not cost-effective. When Google updates Android, engineers have to modify it for each phone or chip that relies on the operating system, which is time-intensive.

"The market has unfortunately failed to deliver regular security updates to millions of consumers using Android devices. As such, we believe that Federal regulators should step in and protect consumers," Soghoian wrote in a blog post about the complaint to the FTC. "As we stated in our complaint, if the mobile carriers are not going to provide important security updates, the FTC should at a minimum force them to provide device refunds to consumers and allow consumers to terminate their contracts without penalty so that they can switch to a provider who will."