Researchers Catch Android OEMs Lying About Security Patches

Adjust Comment Print

Some Android OEMs are have reportedly been skipping security patches according to a security research firm called Security Research Labs, which mentioned the issue last week on Friday, April 6 at a conference in Amsterdam. Based on our analysis of hundreds of phone firmwares we provide an overview of which sets of bug fixes are missing.

A team of German security researchers found that many Android smartphones may be missing critical security updates regardless of what vendors may tell buyers.

The claim comes from technology analyst firm Security Research Labs, which has reason to believe that Android manufacturers are telling lies about security patches. The researchers discovered manufacturers of low-end chipsets like Mediatek and Hisilicon missed more updates on average than powerhouses Qualcomm and Samsung. At the bottom of the list were Chinese brands TCL and ZTE, all of whose phones had four or more missing updates. Both Samsung and Sony had missed some patches, despite reporting they were up to date.

The differences vary from model to manufacturer but since the patches are indicated in the monthly Security bulletins published by Google, this should not happen under any circumstances.

It's already well known that Android phones tend to receive the latest updates weeks or months after the official release by Google.

The shoddy state of Android security on smartphones may down to some smartphone makers skipping security updates from Google.

If you've got a super-old or ultra-budget Android device that hasn't received security updates in a long time, you're looking at more than a few patch gaps.

United States says it has 'proof' Syria's Assad used chemical weapons
The US responded by firing 59 Tomahawk missiles at a Syrian airbase that was suspected of playing a role in the chemical attacks. Trump also called out Russia's promise in 2013 that they would guarantee the elimination of Syria's chemical weapons.

Nohl and Kell pointed to security features in Android such as memory address space layout randomisation (ASLR) and application isolation making exploitation of devices complex. He added by saying that a few years back a security industry has made the problem worse for all as it asked all vendors to do a patch every month which is not possible as the Android ecosystem is very complex. For example, Samsung's 2016 J3 claimed to have every 2017 Android patch installed but in fact when 12 weren't actually installed.

The app reported that the Sony devices missed one security update, but found that tests for five other patches were inconclusive.

"We're working with [SRL] to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google-suggested security update", Google's Android product security lead, Scott Roberts, told the newspaper.

In several cases, the chip makers were found to be the main culprits.

When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them hard to hack, even when they have unpatched security vulnerabilities.

It is worth noting that some of the devices tested may not have been "Android Certified".