While Android operating system updates tend to take forever to reach users, Google and manufacturers are a little better at pushing out monthly security updates to the community, in order to plug potential holes.
At least we thought so…
Research firm Security Research Labs claims some Android device makers are telling customers the firmware is up to date with the latest security patches, when in fact those patches have been skipped.
Wired reports the existence of these “patch gaps” with manufacturers missing up to a dozen security patches, even while telling users all known issues have been addressed.
This is giving Android users a literal false sense of security and leaving them open to potentially malicious software exploits.
“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” SRL founder Karsten Nohl said.
“Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
Related: Samsung Galaxy Note 9
Remarkably, top manufacturers like HTC, Sony, Samsung and Motorola were occasionally missing the patches.
While the major manufacturers might be missing a patch here and there, the worst offenders seem to be the likes of ZTE and TCL who, on average, have missed at least four patches they claimed to have released.
“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl says. “That’s deliberate deception, and it’s not very common.”
Google said it is investigating the claims and will push any vendor skipping patches to bring their devices into compliance.
The company wrote (via The Verge): “We’re working with them [SRL] to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users.
“Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”
Do these reports worry you? Drop us a line @TrustedReviews on Twitter.