Skip to content

April 12, 2018

Numerous Android OEMs discovered to be lying about security patches

by John_A

Samsung, LG, and Motorola are among those at fault.

Once a month, Google updates the Android Security Bulletin and releases new monthly patches to fix vulnerabilities and bugs as soon as they pop up. It’s no secret that many OEMs are slow to update their hardware with said patches, but it’s now been discovered that some of them claim to have updated their phones when, in fact, nothing’s changed at all.

google-pixel-keys-security.jpg?itok=txL_

This revelation was made by Karsten Nohl and Jakob Lell from Security Research Labs, and their findings were recently presented at this year’s Hack in the Box security conference in Amsterdam. Nohl and Lell examined the software of 1200 Android phones from Google, Samsung, OnePlus, ZTE, and others, and upon doing so, found that some of these companies change the security patch appearance when updating their phones without actually installing them.

Samsung’s Galaxy J3 from 2016 claimed to have 12 patches that simply weren’t installed on the phone.

Some of the missed patches are expected to be made on accident, but Nohl and Lell came across certain phones where things just didn’t add up. For example, while Samsung’s Galaxy J5 from 2016 accurately listed the patches it had, the J3 from the same year appeared to have every single patch since 2017 despite missing 12 of them.

The research also revealed that the type of processor used in a phone can have an impact on whether or not it gets updated with a security patch. Devices with Samsung’s Exynos chips were found to have very few skipped patches, whereas those with MediaTek ones averaged out with 9.7 missing patches.

After running through all of the phones in their testing, Nohl and Lell created a chart outlining how many patches OEMs missed but still claimed to have installed. Companies like Sony and Samsung only missed between 0 and 1, but TCL and ZTE were found to be skipping 4 or more.

  • 0-1 missed patches (Google, Sony, Samsung, Wiko)
  • 1-3 missed patches (Xiaomi, OnePlus, Nokia)
  • 3-4 missed patches (HTC, Huawei, LG, Motorola)
  • 4+ missed patches (TCL, ZTE)

Shortly after these findings were announced, Google said that it’d be launching investigations into each of the guilty OEMs to find out what exactly’s going on and why users are being lied to about which patches they do and don’t have.

Missed patches certainly make your phone more vulnerable compared to those that are up-to-date, but even so, that doesn’t mean you’re entirely unprotected. Monthly patches definitely help, but there are general measures in place to ensure that all Android phones have some level of enhanced security.

Even with that said, what’s your take on this? Are you surprised by the news, and will this have an impact on the phones you buy going forward? Sound off in the comments below.

Why I’m still using a BlackBerry KEYone in Spring 2018

Advertisements
Read more from News

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Note: HTML is allowed. Your email address will never be published.

Subscribe to comments

%d bloggers like this: