Study: Some Android OEMs lied about applying security updates (Updated)

Update (04/14/18 at 01:50 A.M.): Google has responded to the study, saying they were cooperating with Security Research Labs to shore up the mobile platform’s defenses.

“We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update,” the company noted in an emailed response to questions.

The Mountain View corporation sought to reassure users, saying that security updates were “one of many layers” used to guard Android devices. The company cited Google Play Protect and application sandboxing as two examples of these layers.

“These layers of security — combined with the tremendous diversity of the Android ecosystem — contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”

The response also comes after study co-author Karsten Nohl told Android Authority that a phone with a few missed updates is still “more secure” than your typical Windows machine.

“…Each phone has a number of security barriers and each missing patch usually affects only one of them. Consumers can take comfort in the thought that an Android phone with a few patch gaps is still more secure than the average Windows computer,” the security researcher elaborated.

Original article: Android brands can definitely do a better job of delivering security updates, but did you know that your phone manufacturer might be hiding patches from you?

That’s according to a two-year-long study by Security Research Labs (SRL), finding a so-called “patch gap,” Wired reports. The Berlin-based team found that many Android phone manufacturers were far behind on updates, or even lying about the last security update applied to the phone.

“Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best,” Karsten Nohl, Security Research Labs founder, told the publication.

The study found that lesser-known brands were worse than the likes of Google and Samsung. But results could even vary within a brand, as SRL found. The team cited the Samsung J5 2016 as being honest about the lack of patches, while the J3 2016 lacked 12 patches (including two deemed “critical”) despite claiming to receive every security update in 2017.

Nohl said that this “deliberate deception” wasn’t as common as vendors simply forgetting to update their devices. Nevertheless, the security company plans to update its SnoopSnitch app to show users the actual patch status of their handset.

The company also produced a chart (above), showing how many patches a brand was missing on average, despite claiming to be up-to-date. Big winners were Google, Samsung, Sony and French brand Wiko, while TCL and ZTE brought up the rear.

There’s far more worrying news for owners of MediaTek-equipped phones, as SRL found that these devices stealthily skipped 9.7 security updates on average. By comparison, the next highest number was 1.9 skipped patches, by HUAWEI’s HiSilicon.

The research group explained the discrepancy by saying budget phones are more likely to jump over security updates and use cheap chips. Wired adds that flaws could be found in mobile chips, with manufacturers dependent on the silicon makers to provide these fixes. So even if a company wants to update their phone with a patch, they can’t do much if the chipmaker doesn’t help out.

Nohl told the publication that hackers still have a challenge on their hands, owing to Google’s existing security measures. “Even if you miss certain patches, chances are they’re not aligned in a certain way that allows you to exploit them.”

The results are undoubtedly a cause for concern, but Nohl reckons cyber-criminals will “most likely” stick to social engineering techniques, such as dodgy apps on the Play Store.

We’ve contacted Nohl, Google, MediaTek, ZTE, and TCL and will update the article if we receive a response.