large image

Trusted Reviews is supported by its audience. If you purchase through links on our site, we may earn a commission. Learn more.

Are Android phone makers lying to you about important security updates?

While Android operating system updates tend to take forever to reach users, Google and manufacturers are a little better at pushing out monthly security updates to the community, in order to plug potential holes.

At least we thought so…

Research firm Security Research Labs claims some Android device makers are telling customers the firmware is up to date with the latest security patches, when in fact those patches have been skipped.

Wired reports the existence of these “patch gaps” with manufacturers missing up to a dozen security patches, even while telling users all known issues have been addressed.

This is giving Android users a literal false sense of security and leaving them open to potentially malicious software exploits.

“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” SRL founder Karsten Nohl said.

“Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”

Related: Samsung Galaxy Note 9

Remarkably, top manufacturers like HTC, Sony, Samsung and Motorola were occasionally missing the patches.

While the major manufacturers might be missing a patch here and there, the worst offenders seem to be the likes of ZTE and TCL who, on average, have missed at least four patches they claimed to have released.

“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl says. “That’s deliberate deception, and it’s not very common.”

Google said it is investigating the claims and will push any vendor skipping patches to bring their devices into compliance.

The company wrote (via The Verge): “We’re working with them [SRL] to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users.

“Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”

Do these reports worry you? Drop us a line @TrustedReviews on Twitter.

Why trust our journalism?

Founded in 2004, Trusted Reviews exists to give our readers thorough, unbiased and independent advice on what to buy.

Today, we have 9 million users a month around the world, and assess more than 1,000 products a year.

author icon

Editorial independence

Editorial independence means being able to give an unbiased verdict about a product or company, with the avoidance of conflicts of interest. To ensure this is possible, every member of the editorial staff follows a clear code of conduct.

author icon

Professional conduct

We also expect our journalists to follow clear ethical standards in their work. Our staff members must strive for honesty and accuracy in everything they do. We follow the IPSO Editors’ code of practice to underpin these standards.