Android OEMs Duping Security Patches

Adjust Comment Print

A team of German security researchers found that many Android smartphones may be missing critical security updates regardless of what vendors may tell buyers.

Some of the largest Android smartphone makers are thought to be misleading users about important security updates, according to a report from Wired. These codes which are changed shows that a user's phone is up to date with the latest updates which actually are the old update that has been renamed.

Wired had put out a detailed report on the issue, and this problem was discovered by cyber-security researchers Karsten Nohl and Jakob Lell, who are part of the Germany security firm called Security Research Labs. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl said.

Security patches on third-party devices has been an ongoing issue for Google and its Android operating system.

This deception doesn't just leave phones vulnerable to malware and other malicious tools used by fraudsters and criminals, but also creates a false sense of security, as users may erroneously believe their phone is up to date and fully protected.

Phones from HTC, Huawei, LG, and Motorola were missing three to four of advertised security patches. For example, while Samsung's Galaxy J5 from 2016 accurately listed the patches it had, the J3 from the same year appeared to have every single patch since 2017 despite missing 12 of them. Bringing up the rear are ZTE and TCL, whose phones on average have missed more than four Android security patches.

"We're working with [SRL] to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google-suggested security update", Google's Android product security lead, Scott Roberts, told the newspaper. The security research scanned 1200 firmware samples of over dozen Android vendors that include Sony, Samsung, Google, TCL, ZTE, and few other.

That's because crucial patches are commonly skipped over by some of the most prolific players in the smartphone market, according to in-depth findings from Security Research Labs (SRL). Your phone may say it is patched, but in reality, it may not be.

Shortly after these findings were announced, Google said that it'd be launching investigations into each of the guilty OEMs to find out what exactly's going on and why users are being lied to about which patches they do and don't have.

Antivirus Android apps remain one of the most popular types of applications on Android. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging".

The researchers found patches were missing from a wide range of handsets across a variety of makers.