Google has been rolling out monthly security updates for its Pixel and Nexus devices for almost two years now on a monthly basis. In addition, the company also releases a monthly security bulletin which highlights the vulnerabilities fixed in that month’s security patch. Apart from Google, there are only a couple of OEMs that roll out monthly security updates for their devices in a timely manner. Other OEMs just take their own sweet time and update their devices months after a security patch is initially released.
Turns out though, Android OEMs have been lying here as well. As discovered by German researchers Karsten Nohl and Jakob Lell of Security Research Labs, many Android OEMs update their devices to show the latest monthly security update but secretly miss out on a few patches. In some cases, Android OEMs simply changed the monthly security patch level without incorporating any of the security patches in the updated firmware. Their revelation is based on testing the firmware of over 1,200 Android phones from over dozen OEMs for all the security patches released by Google in 2017. The testing included handsets from major brands like Google, HTC, Motorola, TCL, LG, and ZTE.
“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” says Nohl, a well-known security researcher and SRL’s founder. In the worst cases, Nohl says, Android phone manufacturers intentionally misrepresented when the device had last been patched. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
Apart from Google, every other Android OEM missed a few patches despite claiming to have the latest security update installed on their device. In certain cases with companies like Sony and Samsung, Nohl believes they accidentally missed a patch or two. But in other cases, they were definitely up to something shady. For example, Samsung claims that it had rolled out every security patch installed on the Galaxy J3 (2016) but a bit of digging revealed that the handset had 12 patches missing, with a couple of them marked as “critical.”
Most of the high-profile OEMs like Google, Sony and Samsung still fared relatively well and missed, on an average, around 1 patch on their device despite claiming that it runs the latest security patch. Xiaomi, OnePlus, and Nokia also performed decently and missed around 1-3 patches on an average. However, HTC, Huawei, LG, and Motorola along with low-tier OEMs TCL and ZTE missed anywhere between 3-4+ patches regularly. This clearly signals that these companies are doing this intentionally and it was not a one-off incident when they missed out a patch in their security update.
The issue seems to stem from the chipset your device is running on because in many cases OEMs have to rely on the chipset maker to provide a patch for a security vulnerability. In this regard, Samsung and Qualcomm fared the best and missed around 0.5-1.1 patches on an average. MediaTek performed the worst of the lot and missed a staggering 9.7 patches which clearly shows how much the chipset maker values security.
The SRL team contacted Google who was quick to point out that many of the tested devices were not certified by the company for its Play Protect program. This automatically means that they do not adhere to Google’s security standards. The company also highlights that despite many of the OEMs skipping many patches in their security updates, these devices are still extremely secure due to other security measures implemented by Google. While that’s certainly true, there’s still no denying the fact that Android OEMs should not deceive their users by simply bumping the security update date on their devices without installing the appropriate patches.
Nonetheless, as mentioned above, thanks to the multiple layers of security, it is not possible for hackers to gain access to your Android device just because it is missing out on certain security patches. But then that does not justify the reasoning behind Android OEMs lying to their customers as well.