Android Phones Claiming to Have Latest Patches Don't Always Do

Android vendors similar to merits their smartphones are routinely updated with the latest security patches. Just don't take their word for it.

SecurityWatch

New security enquiry out of Deutschland has found that well-nigh Android vendors are mistakenly telling customers their phones are running the latest updates. In reality, their firmware upgrades can end up omitting a few critical patches, commonly by accident.

The findings come from Karsten Nohl and Jakob Lell at Security Research Labs in Berlin, who've examined i,200 firmware samples from smartphones sourced to over a dozen vendors. Companies such as Google, Samsung and Sony had the best record of installing the patches, whereas Chinese vendors including Lenovo'south Motorola, TCL and ZTE had trouble rolling them out.

It'due south already well known that Android phones tend to receive the latest updates weeks or months after the official release by Google. In some cases, a phone won't receive them at all. A big reason why is the Android ecosystem; information technology'southward spread beyond a whole throng of manufacturers and mobile carriers, each of which is tweaking the Android operating arrangement to assist make their phones unique.

Nohl and Lell decided to investigate phones that had supposedly received and installed the latest Android updates. Specifically, they focused on patches for disquisitional or loftier severity bugs that were released in 2022 and whether vendors were really rolling them out.

The two researchers take released a breakdown of their findings. Chinese manufacturers TCL and ZTE were amid the biggest offenders and on average had more than 4 patches missing in their phones.

Android Patch Gap Problem 1

However, the devices with the almost glaring problems were those built with processors from Taiwan's MediaTek. On boilerplate, these phones had 9.7 missing patches.

In an interview on Thursday, Nohl said the patching problem can exist blamed on the sheer "complexity" of the Android ecosystem and a lack of quality command. Each time Google introduces a software update, chipset vendors like Qualcomm and MediaTek test it out, make adjustments, and and then paw off the software to Android smartphone makers for integration. However, these vendors accept to exam out the Android software too and across multiple devices.

During that whole process, a security patch can exist lost in the shuffle, Nohl said. "Vendors generally put in a real effort, simply things tin be forgotten, skipped, or the vendor will want to do it later," he said.

Ironically, the security industry may take made the problem worse. "A few years ago, our community pressured vendors to patch every month," Nohl said. "Merely the Android ecosystem is so complex."

Samsung, for instance, has hundreds of different phones models, all of which can be sold across the world. The Korean vendor generally had a strong tape on the software updates, according to Nohl, only it did drop the ball when it came to its Samsung J3 handset, which was establish missing 12 patches.

"If you only have one month to patch, you can't exercise much quality checking," he said.

Android Patch Gap Problem 2

The pressure to patch can too create incentives for vendors to lie. Nohl has observed a few cases, in which a vendor tried to deceive consumers about the security of their phone. His enquiry was actually kicked off when his company complained to one manufacturer about the missing patches on a client'south smartphone.

"In response to our complaint, all the vendor did was change the (software) date one twelvemonth forward," Nohl said. "That fabricated u.s.a. realize that the date is non actually tied to whatever evidence."

Nohl declined to proper noun the vendor, but he's been trying to hold smartphone makers accountable. He pointed to the French vendor behind the Wiko Freddy, a smartphone institute to be missing fourscore patches. "Once they were fabricated aware, they came around," Nohl said.

The good news is that Nohl and his company have come up with a solution. On Thursday, his company released an updated version of an app that can tell you whether your smartphone is missing any patches. Data taken from that app can then exist shared with the device manufacturers in the hopes the problems will be fixed.

In the concurrently, owners of affected smartphones shouldn't panic if they discover a missing software update. "Skipping a unmarried patch does not commonly expose risk," Nohl said. Often times, hacking an Android device involves exploiting a chain of software bugs, not merely one. Most Android malware can also be avoided by beingness careful of what you download; for instance, cybercriminals like to deliver the malicious code through legitimate-looking apps by uploading them to third-party app stores.

Nevertheless, each patch on an Android smartphone is like a layer of protection. The less you take, the more vulnerable your device can exist to certain attacks, Nohl said.

In response to his research, Google agreed that even without the latest security patches, exploiting an Android phone "remains challenging." The company is continually adding new safeguards to the Android OS that can isolate and detect malicious code earlier information technology gains a foothold.

In add-on, Google is working to improve Nohl's app then that information technology can identify Android phones installed with "alternative security updates" that the visitor says may take gone undetected from his research.

MediaTek said the company takes security and privacy seriously, but hasn't had the risk to review Nohl'south research. He and his colleague Jakob Lell plan on presenting their findings on Fri at a security briefing.