Android Phone Makers Caught Fibbing About Security Patches

Android handset manufacturers may not be telling the whole truth about security updates, according to two well-known German researchers.

Credit: Edaccor/Shutterstock

(Image credit: Edaccor/Shutterstock)

Karsten Nohl and Jakob Lell of Berlin's Security Research Labs plan to release a report tomorrow (April 13) showing that many Android security updates are bogus, according to a report in Wired and a preview of the "Android Patch Gap" the researchers put online.

Manufacturers tell users that phones are patched up to a certain month, the researchers said, but some months have been skipped, leaving security holes that can be exploited by hackers or Android malware.

ZTE and TCL appear to be among the worst offenders, while Google, Samsung and Sony are the best at patching. Most other major Android phone makers fall somewhere in between.

MORE: Best Android Antivirus Software and Apps

"Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks," the SRL website preview says.

It can get worse that that, Nohl told Wired's Andy Greenberg.

"Sometimes these guys just change the date without installing any patches," Nohl was quoted as saying. "We found several vendors that didn't install a single patch but changed the patch date forward by several months."

The researchers told Greenberg that they examined 1,200 handsets for evidence of every Android security patch released in 2017. The phones all claim to have received at least one security update since October 2017.

Nohl and Lell plan to present their findings at the Hack in the Box security conference in Amsterdam tomorrow, and post their full paper online after their presentation.

SRL has updated its SnoopSnitch Android security app to detect whether a phone has missed security updates. For some features, the app needs to be run on rooted Android phones, but the security patch analysis will work on all phones using a Qualcomm chipset.

This OnePlus phone seems to be in decent, if outdated, security shape. Screenshot: Tom's Guide

This OnePlus phone seems to be in decent, if outdated, security shape. Screenshot: Tom's Guide

Google pushes out Android security updates at the beginning of each month, but only Google's own Pixel and late-model Nexus phones will get them right away. Other handset makers have to examine each update and, if necessary, tailor them to fit each of their own devices.

Most non-Google Android phone makers (except for Sony) were once terrible at keeping up with security patches. But in the last couple of years many of them, including Samsung and Motorola, sped up the process and now issue the Google patches within a few weeks.

Or so you'd think. While Nohl and Lell found, on average, between zero to one missed patches since October 2017 on each Samsung, Google and Sony phone they tested, they found between three and four missed patches on the Motorola phones. It appears Motorola may not be living up to its promises.

Motorola was joined in the three-to-four-missed-patch purgatory by HTC, Huawei and LG. In a somewhat better grouping, each Xiaomi, OnePlus and Nokia phone tested had between one and three missed patches.

Bringing up the rear were ZTE and TCL, whose phones had an average of more than four missed Android security practices. If a phone made by either of those companies is your daily driver, you might want to trade up to something a little more secure.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.