Some Android Manufacturers Reportedly Skipping Security Patches

Android mobile makers have been deceiving users about their smartphones’ security against malware and hacking vulnerabilities.

According to a new report from Wired, some Android phone makers have apparently been skipping critical security updates and assuring consumers that they are protected against certain threats when in fact their devices remain vulnerable. Some manufacturers have even gone to the lengths of altering the date of security patches received by devices, while no actual patches were installed on them.

Two well-known German researchers, Karsten Nohl and Jakob Lell of Berlin’s Security Research Labs, plan to release a report today showing that many Android security updates are bogus.

Nohl and Lell reverse engineered 1200 smartphones from more than a dozen popular Android OEMs to test their security levels and if they met Google’s requirements, reads the report. The results of the two-year-long investigation and testing were shocking as the researchers found a huge “patch gap” – the difference between the reported security patch level on a smartphone and the actual threats that it is protected against.

Some Android OEMs even went to the extent of displaying false security patch updates in a smartphone’s setting without actually installing the said patches. OEMs were found manipulating the date of the security patch shown in settings by modifying in build.prop.

“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl told Wired. “That’s deliberate deception, and it’s not very common.”

Some manufacturers were worse than others. While the likes of Sony and Samsung only skipped one or no security updates, Xiaomi, OnePlus, and Nokia skipped up to three. HTC, Huawei, LG, and Motorola skipped up to four, and TCL and ZTE skipped more than four. Phones built by Google did not skip security updates.

“You should never make it any easier for the attacker by leaving open bugs that in your view don’t constitute a risk by themselves, but may be one of the pieces of someone else’s puzzle,” says Nohl. “Defense in depth means install all the patches.”