Researchers find some Android phone manufacturers misguide users about missed security updates


Google introduces a new version of Android every year at the I/O event, and except for the Pixel phones and Android One, it is OEM’s job to push updates to their portfolio. It is a known fact that Android phones are infamously slow to get updates. The February distribution rate shows only 1.1% of Android phones are running on the latest OS.

However, problems with Android software updates don’t stop there, Research firm Security Research Labs is claiming that numerous Android manufacturers are lying to users about missed security patches according to a report from The Wired. SRL researchers Karsten Nohl and Jakob Lell spent two years analyzing Android Phones to see if they have installed the security patches that the software said it had.

The researchers then found out what they call a “patch gap,” where the software claims that it was up to date with security patches but was, in reality, at least a dozen of security-patches were found missing. According to The Wire report, SRL tested firmware from 1,200 phones from companies like Google, Samsung, HTC, Motorola, ZTE, and TCL for every Android patch released last year. They found that even flagships from Samsung and Sony have missed a patch occasionally.

Either it was intentional or not, end of the day users are left vulnerable to hacks and are also being lulled into a false sense of security and these could lead to far more disastrous results down the line. SRL is also releasing a new SnoopSnitch on the Play Store which will let you know if your phone’s firmware installed or missing Android security patches. While this is good to have, it shouldn’t have come to this in the first place.

To be clear, not all phones are accountable for this, On average, phones from Samsung, and Sony only tended to miss the occasional patch. Companies like ZTE and TCL performed far worse.

Google commented on the new development and said:

We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.

Source 1, 2