Obsessed with technology?
Subscribe to the latest tech news as well as exciting promotions from us and our partners!
By subscribing, you indicate that you have read & understood the SPH's Privacy Policy and PDPA Statement.
News
News Categories

Several Android OEMs found to be lying about security patches

By Cookie Monster - on 15 Apr 2018, 12:00am

Several Android OEMs found to be lying about security patches

Image source: Security Research Labs/Wired

It's no secret that the Android OS suffers from platform fragmentation due to the slow software updates by Android OEMs, but one German security firm recently discovered that Android OEMs lied about security patches.

The disturbing discovery was made by Karsten Nohl and Jakob, who are researchers from the Security Research Labs, when they tested the firmware of 1,2000 Android phones from more than a dozen phone makers for every Android patch released in 2017. Their testing reveal that some Android OEMs sometimes claimed to have patches installed that they actually lacked, hence creating a false sense of security. 

"We found several vendors that didn’t install a single patch but changed the patch date forward by several months," Nohl says. "That’s deliberate deception, and it's not very common."

While the researchers believe some Android OEMs missed a patch or two by accident, they couldn't explain some of their findings. For example, Samsung was honest about telling the user which patches it had installed and which it still lacked on the 2016 J5 smartphone. On the other hand, Samsung claimed to have installed every Android patch released in 2017 on the 2016 J3 smartphone, when it in fact lacked 12 of them. 

Image source: Security Research Labs/Wired

Another possible reason for the missing patches could be chip suppliers. The researchers found that phones with processors from Samsung had very few skipped patches, but phones that used MediaTek chips lacked an average of 9.7 patches. Part of the responsibility actually lies with the chip suppliers to offer the patch as there are cases where bugs are found in the chips rather than the Android OS. 

"The lessons is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem," Nohl says.

When Google was notified of these findings, it responded by pointing out that some devices may not have been Android-certified devices. Google also added that modern Android devices have security features which make them harder to hack even if they do not have the latest patches. Nonetheless, Google states that it is working with the Security Research Labs to investigate the matter further. 

Source: WIRED via Android Central