Some Android phone makers have lied about having fully update security patches

Alfred Osborne
April 13, 2018

The results are startling-the researchers found a significant "patch gap" between what many phones report as the security patch level and what vulnerabilities these phones are actually protected against.

Clearly, Google, Sony, Samsung, and the lesser-known Wiko are at the top of the list, while TCL and ZTE are at the bottom.

After conducting a research that spanned two years on Android devices, Security Research Labs (SRL), a German security firm claims that many devices had what SRL call a "patch gap". According to the study, phones with Samsung-made chips had much fewer skipped updates. Most other major Android phone makers fall somewhere in between.

"Sometimes these guys just change the date without installing any patches", Nohl was quoted as saying.

Speaking to Wired, SRL researchers Karsten Nohl and Jakob Nell said they found several vendors that had not installed a single patch. You go out of your way to keep your data safe, protecting your handset with a strong passcode, paying close attention to the permissions you grant apps, and making sure that your phone is always running the latest security updates available to it.

Rams' 2018 NFL Draft hat leaks, features 'Mob Squad'
With only two weeks left until the big day, here is a look at our latest first-round mock draft for the 2018 NFL Draft . This roster is already loaded, but more must be done if the Eagles are to ensure another Super Bowl appearance.

Man arrested after leading police chase, jumping from auto in north Charlotte
Police also say he led them back to the spot at Frederick Point and they were able to recover the package and its contents. When officers arrived, they determined the single gunshot originated from inside the home , rather than from outside.

Hoover police arrest east Alabama minister charged with sexually abusing young boy
The offender was identified as Kenneth Bowman, 34, of Saskatoon who pleaded guilty to a number of child sex abuse charges. In two cases, one in December 2015 and another in October 2017, a dozen arrests were made and two children were rescued.

Nohl and Lell plan to present their findings at the Hack in the Box security conference in Amsterdam tomorrow, and post their full paper online after their presentation. SRL Labs is going to release an update to its Android app SnoopSnitch that will let users check their phone's code for the actual state of its security updates, but it is unlikely that users will manually check for patches.

Google has long struggled with how best to get dozens of Android smartphone manufacturers - and hundreds of carriers - to regularly push out security-focused software updates.

Security researchers have accused some Android device makers of misleading users about whether or not devices are being patched. However, does this excuse manufacturers who say their devices are fully updated when they are not?

Most non-Google Android phone makers (except for Sony) were once awful at keeping up with security patches. Those with Samsung processors skipped over few patches while models using MediaTek chips missed nearly 10 patches, on average. It appears Motorola may not be living up to its promises. But that number starts creeping up higher as we look at hardware from LG, HTC, Motorola, and ZTE - the latter's phones averaging four or more absent patches. At least, you think your phone is patched against the most recent security exploits, but is it really? In a somewhat better grouping, each Xiaomi, OnePlus and Nokia phone tested had between one and three missed patches. MediaTek chipsets, on the contrary, had an average of 9.7 missing security patches.

Other reports by

Discuss This Article

FOLLOW OUR NEWSPAPER