Android phone makers skip Google security updates without telling users

Smartphone manufacturers caught lying to consumers about having the latest Android Security patches

SnoopSnitch - Android Apps on Google Play

But what happens when you discover that some Android phone manufacturers - and alas, seemingly even Google themselves - skip these patches and just adjust the date displayed on your phone settings?

Over the past few years, Android manufacturers have built up a reputation of being slow to issue important software updates.

One of the biggest issues with the Android operating system is the fragmentation problem, as Google has struggled to have smartphone manufacturers and carriers push out updates for Android smartphones.

Your Android phone may not be on the level when it tells you it's up to date on software, with security researchers warning that even device-makers releasing relatively timely updates could in fact be missing out security updates.

The researchers Karsten Nohl and Jakob Lell have been working for the past two years to reverse engineer that code running on Android devices and looking if there was some "patch gap". Researchers found that most vendors claim that their handsets have the latest updates when they don't. "It's small for some devices and pretty significant for others", is what Nohl told Wired.

ZTE and TCL are among the worst offenders, followed by HTC, LG, Motorola, and Huawei.

Fortnite Is Down, Normal Service Will Resume In A Few Hours
The game is preventing a lot of people from logging in, acting like they're entering the wrong username and/or password. A popular new video game released this fall has taken Allen Community College, and the rest of the world, by storm.

The researchers did find a correlation between skipped patches and chipsets, however. Out of the 1,200 phones tested by SRL, which included devices from Google, Samsung, HTC, Motorola and TCL, the firm found that even flagship devices from Samsung and Sony missed a patch. "Sometimes these guys just change the date without installing any patches". Nevertheless it still remains that according to SRL, patch updates were still listed as being up to date when they weren't, which might lead some users to wonder going forward if their device has actually been updated with the latest security fixes.

The company has moved towards encrypting all data that leave and enter Android devices with the industry-standard Transport Layer Security (TLS) protocol, and is further tightening the requirements in Android P, which is now in developer preview.

While many of these missed security patches may not be inherently unsafe in isolation, hackers typically chain together multiple security holes to reach their goal, taking over devices and stealing data.

Indeed, not for nothing does Android have a reputation for being a Wild West of security patches and OS versions. Meanwhile companies like Nokia, OnePlus and Xiaomi were missing 1-3 patches on average.

As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap". "Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device", the researchers wrote. Other protections include app sandboxing, Google Play Protect, and the Android ecosystem's diversity.

Nohl said that this "deliberate deception" wasn't as common as vendors simply forgetting to update their devices.

Latest News