Researchers say some Android phone makers hide missed updates

Researchers say some Android phone makers hide missed updates

Outside of the Google Pixel and Google Pixel 2, the tests revealed that even high-end flagship models made by the top manufacturers had Android security patch updates skipped over, even if the update was credited on the phone.

The findings on this security patches come from Karsten Nohl and Jakob Lell at Security Research Labs in Berlin. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Nohl is quoted as saying.

After a research that spanned two years on Android devices, German security firm Security Research Labs (SRL) found that many devices had what is called a "patch gap", which means the phone's software claims to be up-to-date with the latest security update, but it has actually missed out on a number of patches, Wired reports. "Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Karsten Nohl, Security Research Labs founder, told the publication. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging". "The lesson is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem", said Nohl.

More news: Wide action against child sex abuse nets 150 accused

The researchers told Greenberg that they examined 1,200 handsets for evidence of every Android security patch released in 2017. The team cited the Samsung J5 2016 as being honest about the lack of patches, while the J3 2016 lacked 12 patches (including two deemed "critical") despite claiming to receive every security update in 2017. For some features, the app needs to be run on rooted Android phones, but the security patch analysis will work on all phones using a Qualcomm chipset. Unsurprisingly, Pixel phones are the best, accurately indicating that they're up to date with security fixes, and devices from Samsung and Sony aren't far behind, maybe only missing one fix out of a larger batch.

The researchers noted that the SoCs that the smartphones use may be the cause of the issue. Sony and Samsung devices were found to have only skipped 0-1 security update. It appears Motorola may not be living up to its promises. One theory points to the chipsets these handsets are running, as there seems to be a correlation between particular SoCs and the availability of security updates: Snapdragon-based phones and those running Samsung's Exynos chips may only have one recent fix missing, while those built with MediaTek chips average almost ten. HTC, Huawei, LG and Motorola all had between three and four skipped patches while Xiaomi, OnePlus and Nokia skipped, on average, between one and three security updates.

It would seem that your brand-spanking new Android phone is not as secure as you think it might be.

Related Articles