In the age of cyber attacks, smartphone users rely on manufacturers to keep their gadgets secure with regular updates.
However, according to German security firm Security Research Labs, not only do some Android phone makers fail to issue updates regularly, they have also been misinforming users by lying that their phones’ firmware has been fully updated even when they have skipped a few security updates.
As reported in Wired, the lie was unearthed by researchers Karsten Nohl and Jakob Lell who for two years reverse engineered hundreds of Android phones’ operating system, to check if each device contained the security patches as claimed with the vendor.
The article said that the duo found a “patch gap” where some vendors gave the users the impression that the phone was fully up-to-date, but in reality had missed up to a dozen patches that possibly left the smartphones vulnerable to a slew of cyberattacks.
Nohl tells Wired: “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
Security Research Labs had tested the firmware of 1,200 phones, from more than a dozen Android manufacturers, for every patch released in 2017.
It reveals that only Google’s smartphones contained all the patches that were announced in security updates last year. While it is common that some vendors neglect to patch older devices, Nohl claims that there is a bigger problem at hand.
“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl tells Wired. “That’s deliberate deception, and it’s not very common.”
Security Research Labs has released an update to its Android app SnoopSnitch where users can check the actual state of their phones’ security updates. Security patches on third-party devices has always been an issue for Google and its Android operating system.
Although Google is the source of Android’s security patches, the onus is still on the third parties – which includes Android phone manufacturers and network carriers – to send updates to the devices.
Google responded to Wired by stating that “modern Android phones have security features that make them difficult to hack even when they do have unpatched security vulnerabilities”.
The article also shared that Google argued that in some cases, “patches might have been missing from devices because the phone vendors responded by simply removing a vulnerable feature from the phone rather than patch it, or the phone didn’t have that feature in the first place”.
It also states that Google is working with Security Research Labs to further investigate its findings.