Insecure Android smartphone leads to court case for electronics retailer

A German consumer protection agency is suing an electronics retailer for not warning its customers about the security holes in a cheap Android phone it was selling.

A well-known weakness of the Android ecosystem is that some manufacturers sell phones running outdated versions of Google's operating system, and don't keep on updating them to close known security vulnerabilities. Google may give manufacturers the patches they need to do this, but often this protection doesn't reach the consumer.

This issue is now at the centre of the case involving a Cologne branch of the German electronics giant Media Markt. The branch is being sued by the North Rhine-Westphalia consumer protection agency, the Verbraucherzentrale NRW.

The phone in question was a low-end, €99 device called the Cynus T6, from a Korean manufacturer called Mobistel. It runs Android KitKat 4.4, which dates back to 2013. Media Markt no longer sells the T6, but it did stock it back in early August last year, when the Verbraucherzentrale NRW sent someone to buy a unit.

The buyer was accompanied by a representative of Germany's Federal Office for Information Security (BSI), which then conducted tests on the phone, finding 15 unresolved vulnerabilities. One flaw allowed arbitrary remote code execution, effectively meaning an attacker could take over the device.

The BSI informed Mobistel about the vulnerabilities in September, but says the company did not respond. Since then, the BSI told ZDNet, Mobistel has neither patched the flaws nor updated the OS for ongoing users of the T6.

Instead of trying to go after Google or Mobistel, the Verbraucherzentrale NRW decided to take action against the branch that sold the phone, in the Cologne district court. In particular, the authority is targeting the fact that the retailer did not warn customers about the vulnerabilities in the phone they were selling.

Quoted in aSüddeutsche Zeitung report, the head of the Digitale Gesellschaft tech industry consumer protection body agreed with the thrust of the regional authority's action. "Consumers should at least get transparent information," said Volker Tripp.

The BSI is not formally involved in the case, despite the fact that it's provided assistance to the Verbraucherzentrale NRW. Although security weaknesses in smartphones are a widespread problem, BSI spokesman Joachim Wagner told ZDNet that this relatively narrow case might be useful in bringing public attention to the issue.

"For the lawsuit, we had to choose a case," Wagner said. "So we hope that this will send a signal.

"We know it's not [an unusual] case and there are many smartphones sold right now which have vulnerabilities. The thing is we need to make sure that the user can make a well-informed decision."

Media Markt, which still stocks other Mobistel phones, had not responded to a request for comment at the time of publication.

ZDNet attempted to call the phone number listed on the manufacturer's German website (which bears the motto: "We, Mobistel, try to be the best we can be"), but it was disconnected.

Read more on Android security

• Amazon's app store compromises Android security
• Google names 42 Android devices with users running security updates from last two months
• Android security: Google's May update hits bugs with critical patches for Nexus, Pixel
• Android security report: Google aims to clean up 'unwanted software' in 2017
• iOS and Android security: A timeline of the highlights and the lowlights (TechRepublic)
• This is the easiest way to prevent malware on your Android device (CNET)