- Some Android vendors are purposefully lying about the latest security update on their phones.
- ZTE and TCL are among the worst offenders, followed by HTC, LG, Motorola, and Huawei.
- Phones with Mediatek chipsets are far more likely to deceive users about the latest updates.
Android brands can definitely do a better job of delivering security updates, but did you know that your phone manufacturer might be hiding patches from you?
That’s according to a two-year-long study by Security Research Labs (SRL), finding a so-called “patch gap,” Wired reports. The Berlin-based team found that many Android phone manufacturers were far behind on updates, or even lying about the last security update applied to the phone.
“Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best,” Karsten Nohl, Security Research Labs founder, told the publication.
The study found that lesser-known brands were worse than the likes of Google and Samsung. But results could even vary within a brand, as SRL found. The team cited the Samsung J5 2016 as being honest about the lack of patches, while the J3 2016 lacked 12 patches (including two deemed “critical”) despite claiming to receive every security update in 2017.
Nohl said that this “deliberate deception” wasn’t as common as vendors simply forgetting to update their devices. Nevertheless, the security company plans to update its SnoopSnitch app to show users the actual patch status of their handset.
The company also produced a chart (above), showing how many patches a brand was missing on average, despite claiming to be up-to-date. Big winners were Google, Samsung, Sony and French brand Wiko, while TCL and ZTE brought up the rear.
There’s far more worrying news for owners of Mediatek-equipped phones, as SRL found that these devices stealthily skipped 9.7 security updates on average. By comparison, the next highest number was 1.9 skipped patches, by Huawei’s HiSilicon.
The research group explained the discrepancy by saying budget phones are more likely to jump over security updates and use cheap chips. Wired adds that flaws could be found in mobile chips, with manufacturers dependent on the silicon makers to provide these fixes. So even if a company wants to update their phone with a patch, they can’t do much if the chipmaker doesn’t help out.
Nohl told the publication that hackers still have a challenge on their hands, owing to Google’s existing security measures. “Even if you miss certain patches, chances are they’re not aligned in a certain way that allows you to exploit them.”
The results are undoubtedly a cause for concern, but Nohl reckons cyber-criminals will “most likely” stick to social engineering techniques, such as dodgy apps on the Play Store.
We’ve contacted Nohl, Google, Mediatek, ZTE, and TCL and will update the article if we receive a response.
April 12, 2018 at 05:39AM