Ashocking new research report spearheaded by Germany-based firm, Security Research Labs (SRL), revealed this week that many Android vendors not only fail to make key security patches available to their customers, but that some even go so far as to knowingly deceive device owners by telling them their firmware is secure and up-to-date, when in fact the OEM has either delayed or altogether skipped-out the on latest security patch intentionally, according to WIRED.
Compiled by SRL founders and lead researchers, Karsten Nohl and Jakob Lell, these findings were allegedly presented on Friday at The Netherland’s annual Hack in the Boxsecurity conference, held this year in Amsterdam. They will encompass the firm’s research, consisting primarily of over two-years worth of “reverse-engineering” the Android OS code installed on “hundreds” of Android smartphones — all in an attempt to assess whether each device actually contained the security patches indicated in its settings menu.
Notably, the researchers found what they described as a sizable “patch gap” — a phenomenon whereby some Android OEMs would inform users that their device’s were all up-to-date with the latest Android security patches, when in reality they were missing a number of them released during a specified time period, rendering some phones vulnerable to a “collection of known hacking techniques.”
“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” said well-known security researcher and SRL founder Karsten Nohl, adding that “Sometimes, these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
Premising their research around Android security patches issued during the 2017 calendar year, specifically, SRL tested the firmware of as many as 1,200 Android smartphones manufactured by a wide-range of OEMs including Google, and others from major Android device-makers including Samsung, Motorola, HTC, LG, and regional Chinese OEMs like TCL and ZTE.
Damningly, the researchers found that while Google’s own flagship devices like the Pixel and Pixel 2 were relatively unaffected by the patch gap phenomenon, several other high-end phone-maker’s were in some, rare instances found to have claimed their device’s were up-to-date with the latest Android security patches when in fact they were not, creating an ostensible “false sense of security.”
“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl said, noting how “That’s deliberate deception, and it’s not very common.”
At that point, Nohl noted how “It’s almost impossible for the user to know which patches are actually installed.” He referred to a particular case scenario concerning two Samsung devices — its 2016 J5 and J3 handsets — the former of which was “perfectly honest” about which security patches were installed and which were not, while the latter “claimed to have every Android patch issued in 2017” but inherently lacked close to a dozen of them.
Once their data for every Android smartphone and vendor was fully analyzed, SRL formatted the findings into the chart (shown below), which splits Android OEMs up into three distinct categories premised around “how faithfully” their patching claims coincided with reality during the 2017 testing period.
Notably, devices from “major Android vendors” such as Xiaomi, OnePlus and Nokia were found to have between “one and three missing patches;” other major vendors, including HTC, Huawei, Motorola, and LG skipped-out on “between three and four of the patches they claimed to have installed;” while the lowest-performing Android OEMs on the list — Chinese firms TCL and ZTE — on average had missed “more than four patches” which they claimed to have installed, but in fact had not.
WIRED reached out to Google for comment on SRL’s findings, to which the search-giant responded that while it appreciates the firm’s research, some of the analyzed handsets may not have been Android certified; meaning, that unlike the company’s flagship Pixel handsets, they may not be held to Google’s security standards.
“Security updates are one of many layers used to protect Android devices and users,” said Android security chief, Scott Roberts, in a statement emailed to WIRED. “Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”
The company further noted that the latter majority of “modern” Android smartphones are equipped with new security protocols, such as Google Play Protect, which make them difficult to hack even when unlatched security vulnerabilities are identified but unaddressed immediately.
Moreover, Google added, some Android OEMs may have responded to known security patches by simply removing a vulnerable feature from the device rather than patching it.
In either case, Google conceded that it’s going to be working directly with SRL to further investigate the firm’s findings presented in today’s report, which can be read in full here.