Summits Yellow

Android manufacturers have been lying about missed security updates

Tim Maytom

Numerous Android manufacturers have been lying to consumers about security patches they have failed to roll out, according to a new report from Security Research Labs (SRL). As part of a presentation at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell unveiled figures that showed that a significant 'patch gap' existed on many Android phones, with vendors telling users that they had all of Android's latest security updates, when in reality as many as a dozen were missing.

Android has consistently struggled to get smartphone manufacturers and carriers to push out security-focused updates on a regular basis, but this new research reveals the extent to which major brands have fallen behind.

As of Google's last update in February, only 1.1 per cent of Android users have access to the most recent version of the software, and a study in 2016 found that only 17 per cent of devices were operating on a recent patch level.

For their research, SRL tested firmware from 1,200 phones from manufacturers including Samsung, HTC, Motorola, Huawei and even Google itself, checking for every Android patch released in 2017. Outside Google's flagship phones like the Pixel and Pixel 2, even top-tier manufacturers sometimes claimed that patches were installed when they weren't, and with lower-end producers like LG, TCL and ZTE, four or more patches were often absent.

"We find that there's a gap between patching claims and the actual patches installed on a device," said Nohl, founder of SRL, speaking to Wired. "It's small for some devices and pretty significant for others. Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best."

This deception doesn't just leave phones vulnerable to malware and other malicious tools used by fraudsters and criminals, but also creates a false sense of security, as users may erroneously believe their phone is up to date and fully protected.

When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them difficult to hack, even when they have unpatched security vulnerabilities.

"Security updates are one of many layers used to protect Android devices and users," said Scott Roberts, security lead for Android products, in a statement to Wired. "Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important.

"These layers of security, combined with the tremendous diversity of the Android ecosystem, contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging."

Nohl agrees that exploiting missing patches remains difficult for hackers, who are more likely to use methods like rogue apps snuck onto the Google Play Store or less secure third party sources. However, the fact that manufacturers are deceiving customers regarding the level of protection that they are providing remains a worrying discovery.