Some Android phone makers have lied about having fully update security patches

Some Android phone makers have lied about having fully update security patches

A study spearheaded by Karsten Nohl and Jakob Lell of Security Research Labs revealed OEMs have been making users think their phone is up to date while never having applied the supposed security patches. Security updates are one of many layers used to protect Android devices and users.

This is according to Wired which reported on research set to be published tomorrow at the Hack in the Box security conference. But in the last couple of years many of them, including Samsung and Motorola, sped up the process and now issue the Google patches within a few weeks. Not surprisingly, all Google phones were found to have every patch released present. One of the lowest performing brands were TCL and ZTE, all of whose phones had on average over four patches that they claimed to have installed, but had not. This is incredibly simple to fake-even you or I could do it on a rooted device by modifying ro.build.version.security_patch in build.prop. Out of the 1,200 phones tested by SRL, which included devices from Google, Samsung, HTC, Motorola and TCL, the firm found that even flagship devices from Samsung and Sony missed a patch.

In some cases, the researchers attributed it to human error: Nohl believes that sometimes companies like Sony or Samsung accidentally missed a patch or two.

The team at SRL labs put together a chart that categorizes major device makers according to how many patches they missed from October 2017 onwards.

JP Morgan sued over credit card fees for cryptocurrency purchases
The fund owned 143,200 shares of the financial services provider's stock after selling 1,881 shares during the quarter. Facebook presently has a consensus rating of "Buy" and an average target price of $210.16. 17,729 JPMorgan Chase & Co.

Wide action against child sex abuse nets 150 accused
Police identified the suspect as Paul Edward Acton Bowen and said he is the founder of the Acton Bowen Outreach Ministries. A total of 13 Canadians have been convicted of child pornography-related charges in connection with the investigation.

CEO of shuttered sex classifieds site Backpage pleads guilty
In a statement Thursday, the office said Backpage.com CEO Carl Ferrer also had pleaded guilty to money laundering. This plea follows the permanent shutdown of Backpage.com announced on April 9.

When it comes to the consumer, it gets hard to identify if their device has been actually receiving the security update or not. We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. And if a company making those chips isn't keeping up with patches, it becomes quite hard for the manufacturers of the phones running them to fully secure their devices. Lesser known manufacturers, on the other hand, missed out on many more.

Due to these findings, SRL has updated its SnoopSnitch app, allowing Android phone users to get an accurate breakdown of which updates have and haven't been installed. The good news is that Android's underlying security architecture does its best to mitigate the impact of malicious actors, and even if your OEM skipped one or two patches, so long as it's caught up with the bulk of them, you're probably in good shape.

As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap". All of the requisite permissions for the app and the need to access them can be viewed here. Enter your email to be subscribed to our newsletter.

Related Articles