Android vendors fail to install security patches

Security researchers have accused some Android device makers of misleading users about whether or not devices are being patched.

Security Research Labs analysed a large number of devices running Google's Android operating system, and found that some vendors fail to apply critical and high severity security patches.

Worse, vendors allegedly misled users by claiming devices are fully patched when in fact they are missing important monthly updates for Android, the researchers said.

Speaking to Wired, SRL researchers Karsten Nohl and Jakob Nell said they found several vendors that had not installed a single patch.

The vendors instead allegedly moved the patch date forward by several months.

Nohl labelled this as "deliberate deception".

While top-tier vendors such as Google, Sony, and Samsung miss no or very few patches, budget Chinese smartphone makers TCL and ZTE failed to install more than four, despite claiming to have fully updated devices, the researchers reported.

Source: SRL

SRL noted that missed patches doesn't necessarily mean that hackers have an easy time breaking into Android phones.

Nohl and Kell pointed to security features in Android such as memory address space layout randomisation (ASLR) and application isolation making exploitation of devices complex.

"Instead criminals focus on social[ly] engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps," the researchers said.

Nevertheless, it's important to patch devices to make it harder for determined hackers such as state-sponsored actors who are able to use zero day and existing vulnerabilties to compromise Android devices, SRL said.

The security vendor has a free app, Snoopsnitch, in Google's Play store that attempts to analyse how many patches are installed on Android devices.

iTnews ran SnoopSnitch on three newer Android devices - the Huawei P20, Samsung Galaxy S9 Plus, and Sony Xperia XZ.

The app reported that the Sony devices missed one security update, but found that tests for five other patches were inconclusive.

SnoopSnitch believed the Samsung and Huawei devices running Android 8.1 were fully patched; however, on the Samsung device, tests for 23 patches were inconclusive.