19th April 2018

Android Vendors Fake Security Updates

At a recent 'Hack in the Box' security conference in Amsterdam, two researchers called Karsten Nohl and Jakob Lell of the firm Security Research Labs revealed the results of a two year long investigation into Android security patches by vendors. In their study, they examined the firmware of 1,200 Android devices, to see if the patch level quoted in the OS was actually the patch level found on the device for patches released in 2017. They found what they call a 'patch gap' in many of the well known OEM's devices.

SRL believed that some of their findings were simply down to a mistake by the vendor. Others, rather worryingly, seemed to be an attempt by a vendor to let the user believe they'd patched to the most recent security patch, but infact all they did was change the patch date forward 'several months'! SRL have then catagorized the OEMs in this grid based on missed patches -

0-1 1-3 3-4 4+
Google Xiaomi HTC TCL
Sony OnePlus Huawei ZTE
Samsung Nokia25 LG
Wiko Motorola

Apparently Google's own Pixel phones were the only ones to have every single patch, as they should... which is actually a little worrying! (Well, not for me as a Pixel 2 XL ownder, but in general).

They went on to point out the chipset seemed to be a factor, with Samsung, Qualcomm and Hisilicon all missing less than 2% of patches, but Mediatek based devices missed almost 10% of them.

You can check what level your own phone is on by installing SRL's own app, SnoopSnitch. Head to the forum to tell us how your device does.