“You don’t need [a zero-day exploit] to attack most Android devices if consumers are running 13-month old software,” says Chris Soghoian. Soghoian is principal technologist and senior policy analyst with the American Civil Liberties Union. He believes that the reason why there are millions of Android phones in the hands of users today that are vulnerable to hacking, is because of the wireless carriers and hardware manufacturers.

Soghoian says that the reason for this is because wireless carriers and phone makers refuse  to push updates to phones in a timely manner. Included in those updates are the security fixes meant to take away vulnerabilities in the devices. “You get updates when the carrier wants it and when the hardware manufacturer wants it, and usually that’s not very often,” says Soghoian.

Why are hardware makers not updating devices in a timely manner, when it just makes sense for them to do so? It’s just not cost effective, apparently. This is because when Google updates Android, engineers have to modify it for each different phone or chip that relies on the OS. This is something that takes a lot of time, and instead they choose to use that time to develop new versions of the phone. Android users are effectively slave to the update schedules of wireless carriers or phone manufacturers, who can take as long as a year or more to deliver the updates. Even worse, some phones end up not getting the latest updates.

Soghoian says that this is in direct contrast with the situation on Apple’s side. “When Apple decides that it’s going to give a security update to consumers or a feature update, every consumer who plugs their phone into their computer gets the update whether or not their respective regional carrier likes it.”

But Google is not to blame for this issue. According to Soghoian, Google actually fixes these vulnerabilities fairly quickly and makes them available to their hardware partners. The problem is, they’re just not reaching consumers in a timely manner, if they do at all. To fix this, Soghoian says that carriers need to accept responsibility for the devices they are selling to consumers or allow Google to handle updates. Unfortunately for Android users, Soghoian believes that this isn’t likely unless the government intervenes somehow.

[via Wired, image via Tsahi Levent-Levi]