Report: Some Android phones are given credit for security patch updates they never received

A security outfit located in German says that some Android phone manufacturers are pulling the wool over their customers' eyes. Researchers working for Security Research Labs (SRL) discovered that companies like Google, HTC, Samsung, Sony, Motorola, ZTE, TCL and others are skipping over some Android security patch updates even though the phones show that they were installed.

SRL checked out the firmware on 1,200 Android handsets and looked for every patch disseminated in 2017. The results were interesting. Outside of the Google Pixel and Google Pixel 2, the tests revealed that even high-end flagship models made by the top manufacturers had Android security patch updates skipped over, even if the update was credited on the phone. By showing users that these patches were installed when they weren't, owners believe that their handsets are safer than they really are.

SRL founder Karsten Nohl says that in some cases, a manufacturer might accidentally miss a security patch update, or even two. But the Samsung J3 (2016) claimed to have every 2017 Android patch installed when in truth it had missed 12 updates, including a pair that were considered "critical" to keeping the handset safe and secure.

Besides manufacturers, SRL said some chip makers are to blame. In particular, phones powered by a MediaTek chipset had 9.7 missed patches on average. That could be due to the fact that some cheaper phones using less expensive chips are more likely to miss updates. SRL founder Nohl says, "The lesson is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem."

Google says that some of the devices in the study may not have been Android certified devices, which means that Google's standards of security would not apply to them. And some patches may have been missed, says Google, because the manufacturer removed the offending feature instead of fixing it with the patch. Google is working with SRL to delve deeper into its test results.

In Amsterdam this Friday, Nohl and fellow SRL researcher Jakob Lell will present at the Hack in the Box security conference, the results of their two-year test that revealed what they call the "patch gap."


source: Wired

FEATURED VIDEO

20 Comments

1. ch3mn3y

Posts: 77; Member since: Sep 17, 2017

But You know that if device was updated December 2016 and than December 2017 than it has all the 2017 patches? So it's not a lie. An it's hard for OEM to update all their devices, so I don;t see it strange that lowest ones are updated less regularly than flagships (and middle-end as well, at least for some manufacturers like e.g. Sony).

2. notfair

Posts: 755; Member since: Jan 30, 2017

i have a mate 10 pro at the moment and i am on january security patch. since october 2017 i only received 3 updates ... huawei is very slow with updates.

4. kakudiego

Posts: 123; Member since: May 21, 2014

3? my p9 plus received ZERO since feb 2017

8. antroid

Posts: 392; Member since: Jan 24, 2018

Maybe those security patches fix the holes where they can spy on you

13. Ghost04

Posts: 522; Member since: May 03, 2014

My P9 is running March ,2018. I received dozens over last 1.5 years . Usually they provide a patch in every 1.5-2 months .

10. Subie

Posts: 2394; Member since: Aug 01, 2015

It takes Huawei longer because they need to make sure the security patches don't conflict with their phones ability to spy on Americans for the Chinese Government ;)

16. yalokiy

Posts: 1057; Member since: Aug 01, 2016

Nice joke.

19. Kohai

Posts: 50; Member since: Jun 04, 2010

What the article says is that even when you have downloaded and installed those supposed security updates (not SW, we are talking about secury patches) they may actually contain no security patch. They blame the OEMs for lying about it.

3. Sammy_DEVIL737

Posts: 1529; Member since: Nov 28, 2016

These companies don’t care for the security patch updates. Okay I get it you can’t update the devices with latest OS’s but atleast give them security patches everymonth. In thename of 2yrs of security patch updates many manufacturers don’t give them consistent updates like the Samsung Galaxy A8+(2018) which my cousin bought the other day it was launched isn’t getting regular patch updates it only gets those quarterly updates just because it didn’t sell as much expected whereas my Galaxy A5(2016) recieves patch updates every month (currently running on march security patch) just because it sold well. And please dont even say that if you buy budget phone or low end phone don’t expect any updates as the Galaxy C7/C9 Pro which is considered as upper midrange device doesn’t even get a single update & it’s the same reason just because it didnt sell well. This feels like cheating & if this the case of an upper midrange device than think what those low end devices might be having. Really all these manufacturers have to step-up their game in terms of updates if ever they want to compete with manufacturers who consistently give updates(Apple).

5. cmdacos

Posts: 4267; Member since: Nov 01, 2016

Google needs to come down hard on any vendor that circumvents the security trust.

7. hatersgonnahate

Posts: 10; Member since: Jan 24, 2015

Lol mediatek..not surprised. That's why I always avoid mediatek chip phone.

9. Subie

Posts: 2394; Member since: Aug 01, 2015

I noticed that Blackberry and Nokia were not mentioned as offenders. Good for them if they're truly on the ball with security patches!

12. Dr.Phil

Posts: 2452; Member since: Feb 14, 2011

TCL, which makes Blackberry, and Nokia were mentioned. If you look at the pictures that accompany the article, you will find how many patches they missed on average. EDIT: Even though TCL makes Blackberry, it may be referring to their other phones like Alcatel since Blackberry themselves makes the software. So you might be right about Blackberry, but Nokia is still included.

14. Subie

Posts: 2394; Member since: Aug 01, 2015

Good catch. And yes, Blackberry handles the software for TCL's Blackberry mobile devices. But it would be interesting to know if they really are including the new Blackberry Mobile devices. The Priv would be Blackberry's own exeption here.

11. DolmioMan

Posts: 335; Member since: Jan 08, 2018

Naughty naughty. Slow updates is one thing but lying about it is another.

15. worldpeace

Posts: 3135; Member since: Apr 15, 2016

See that table? Xiaomi is better than HTC, Huawei, LG, and Motorola

17. Ali888

Posts: 100; Member since: Apr 13, 2018

I don't get why there's a samsung phone mentioned here. I mean they're first on all the tables, and if I'm not mistaken they were first to release the April security patch. My girlfriend's p10 is still on October security patch from 2017, why doesn't phonearena put a Huawei phone up or an LG? I get that Samsung isn't the best with updates but are Huawei and LG better?

18. ChicagoBorn

Posts: 101; Member since: Jan 24, 2018

You didn’t even read the article....

20. Trex95

Posts: 2383; Member since: Mar 03, 2013

Android fragmentation as usual. The only way to solve this fragmentation issue that google don’t sell android to other OEM’s and keep only Pixel phones, but unfortunately pixel not going to sell as good as Samsung unless google call there pixel phones galaxy pixels and made by Samsung.

21. Marissa45

Posts: 1; Member since: Apr 18, 2018

Hey everyone, Are you interested in a professional hacker who can help you spy on your cheating spouse in just one swipe. Get in touch with Williamsdhackghost at Gmail, i’m sure he’d help

Latest Stories

This copy is for your personal, non-commercial use only. You can order presentation-ready copies for distribution to your colleagues, clients or customers at https://www.parsintl.com/phonearena or use the Reprints & Permissions tool that appears at the bottom of each web page. Visit https://www.parsintl.com/ for samples and additional information.