Android vendors like to claim their smartphones are routinely updated with the latest security patches. But don’t take their word for it.
New security research out of Germany has found that most Android vendors are mistakenly telling customers their phones are running the latest updates. In reality, their firmware upgrades can end up omitting a few critical patches, usually by accident.
The findings come from Karsten Nohl and Jakob Lell at Security Research Labs in Berlin, who’ve examined 1,200 firmware samples from smartphones sourced to over a dozen vendors. Companies such as Google, Samsung and Sony had the best record of installing the patches, whereas Chinese vendors including Lenovo’s Motorola, TCL and ZTE had trouble rolling them out.
It’s already well known that Android phones tend to receive the latest updates weeks or months after the official release by Google. In some cases, a phone won’t receive them at all. A big reason why is the Android ecosystem; it’s spread across a whole throng of manufacturers and mobile carriers, each of which is tweaking the Android operating system to help make their phones unique.
Nohl and Lell decided to investigate phones that had supposedly received and installed the latest Android updates. Specifically, they focused on patches for critical or high severity bugs that were released in 2017 and whether vendors were really rolling them out.
The two researchers have released a breakdown of their findings. Chinese manufacturers TCL and ZTE were among the biggest offenders and on average had more than 4 patches missing in their phones.
However, the devices with the most glaring issues were those built with processors from Taiwan’s MediaTek. On average, these phones had 9.7 missing patches.
In an interview on Thursday, Nohl said the patching problem can be blamed on the sheer “complexity” of the Android ecosystem and a lack of quality control. Each time Google introduces a software update, chipset vendors like Qualcomm and MediaTek test it out, make adjustments, and then hand off the software to Android smartphone makers for integration. However, these vendors have to test out the Android software too and across multiple devices.
During that whole process, a security patch can be lost in the shuffle, Nohl said. “Vendors generally put in a real effort, but things can be forgotten, skipped, or the vendor will want to do it later,” he said.
Ironically, the security industry may have made the problem worse. “A few years ago, our community pressured vendors to patch every month,” Nohl said. “But the Android ecosystem is so complex.”
Samsung, for instance, has hundreds of different phones models, all of which can be sold across the world. The Korean vendor generally had a strong record on the software updates, according to Nohl, but it did drop the ball when it came to its Samsung J3 handset, which was found missing 12 patches.
“If you only have one month to patch, you can’t do much quality checking,” he said.
The pressure to patch can also create incentives for vendors to lie. Nohl has observed a few cases, in which a vendor tried to deceive consumers about the security of their phone. His research was actually kicked off when his company complained to one manufacturer about the missing patches on a client’s smartphone.
“In response to our complaint, all the vendor did was change the (software) date one year forward,” Nohl said. “That made us realize that the date is not actually tied to any evidence.”
Nohl declined to name the vendor, but he’s been trying to hold smartphone makers accountable. He pointed to the French vendor behind the Wiko Freddy, a smartphone found to be missing 80 patches. “Once they were made aware, they came around,” Nohl said.
The good news is that Nohl and his company have come up with a solution. On Thursday, his company released an updated version of an app that can tell you whether your smartphone is missing any patches. Data taken from that app can then be shared with the device manufacturers in the hopes the problems will be fixed.
In the meantime, owners of affected smartphones shouldn’t panic if they notice a missing software update. “Skipping a single patch does not usually expose risk,” Nohl said. Often times, hacking an Android device involves exploiting a chain of software bugs, not simply one. Most Android malware can also be avoided by being careful of what you download; for instance, cybercriminals like to deliver the malicious code through legitimate-looking apps by uploading them to third-party app stores.
Nevertheless, each patch on an Android smartphone is like a layer of protection. The less you have, the more vulnerable your device can be to certain attacks, Nohl said.
In response to his research, Google agreed that even without the latest security patches, exploiting an Android phone “remains challenging.” The company is continually adding new safeguards to the Android OS that can isolate and detect malicious code before it gains a foothold.
In addition, Google is working to improve Nohl’s app so that it can identify Android phones installed with “alternative security updates” that the company says may have gone undetected from his research.
MediaTek said the company takes security and privacy seriously, but hasn’t had the chance to review Nohl’s research. He and his colleague Jakob Lell plan on presenting their findings on Friday at a security conference.