Android phone makers are misleading customers with missing security patches

Your Android phone may not be as secure as it claims to be.

Android smartphone manufacturers appear to have been misleading users into thinking their devices have the latest security patches. First reported by Wired, security researchers Karsten Nohl and Jakob Lell of Security Research Labs (SRL) revealed “patch gaps” they had found in Android smartphones at a security conference on Friday.

After two years of painstakingly reviewing hundreds of devices, the researchers determined some manufacturers not only failed to update their devices entirely but also lied to customers about doing so. In many cases, a third-party phone maker would tell users their devices had the latest security patches when they were actually missing multiple updates, leaving them open to a range of cyberattacks.

“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” Nohl told Wired. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”

The security group reportedly tested 1,200 Android devices from more than a dozen manufacturers for every security patch released in 2017. Some phone vendors did better than others. As expected, Google phones faired best, along with devices from Sony, Samsung, and French phone company Wiko. Devices from those manufacturers had, on average, zero to one missing patch that was claimed to have been installed. Vendors whose devices had one to three missing patches include Nokia, Chinese giant Xiomi and fan-favorite OnePlus. Several major phone companies whose devices are owned by millions of Americans did even worse, including HTC, Huawei, LG, and Lenovo-owned Motorola, whose devices had three to four missing patches. At the bottom of the list were Chinese brands TCL and ZTE, all of whose phones had four or more missing updates.

Unlike Apple and iOS, Google has, for years, relied on third-party manufacturers like Samsung, LG, and HTC to produce the hardware for its immensely popular Android operating system. When Google creates new security updates each month, it trickles them down to device makers that get the ultimate say on how and when to update their phones.

As noted by Wired, there are a few potential reasons for why these phones don’t have the latest security updates, other than manufacturers trying to pass their devices off as being more secure than they actually are. For one, Nohl believes companies like Sony or Samsung may have missed a few patches by accident.

In other cases, where upwards of a dozen updates were missed, the blame could fall on chipset manufacturers. The researchers discovered manufacturers of low-end chipsets like Mediatek and Hisilicon missed more updates on average than powerhouses Qualcomm and Samsung. This could explain why one Samsung device, the J5 from 2016, didn’t miss any patches but the budget J3 from the same year omitted 12 of them.

There is also the possibility that instead of patching through updates, phone makers simply remove or alter the feature that might have caused the security vulnerability. Google told Wired some of the devices in the report weren’t Android certified, and therefore aren’t tested for security and performance. It also reassured that even with patches missing, it would be difficult for a bad actor to hack an Android device. Google said it was working with SRL Labs to investigate the results of its report.

Phillip Tracy

Phillip Tracy

Phillip Tracy is a former technology staff writer at the Daily Dot. He's an expert on smartphones, social media trends, and gadgets. He previously reported on IoT and telecom for RCR Wireless News and contributed to NewBay Media magazine. He now writes for Laptop magazine.