Researchers believe that certain Android smartphone manufacturers are bypassing security patches without informing consumers, instead stating that the software on their devices is up to date with Google’s monthly security releases.
Researchers from Germany’s Security Research Labs (SRL) carried out a two-year investigation of the state of Android security, focusing on the monthly upgrades that Google distributes and encourages smartphone makers to install.
These monthly updates are critical for keeping devices secure, as they repair a selection of known flaws and holes each month, preventing hackers from exploiting them. However, the researchers discovered that there is frequently a “patch gap” between what manufacturers tell customers and what they do to the software — some merely tell users that their phones have been updated without patching anything.
“Installing fixes once a month is a good start, but it’s not enough unless all necessary patches are included in those updates,” the researchers wrote. “According to our extensive examination of Android phones, most Android OEMs routinely forget to include some fixes, leaving parts of the ecosystem vulnerable to the underlying vulnerabilities.”
Each monthly security update includes several patches for various security flaws. Users may check if their smartphones have been updated with the latest security fixes by looking at the dates of Google’s monthly security updates. On the other hand, manufacturers may apply some of the updates, altering the security update date to the most recent available in the process. Still, they may not install all of the patches included in any given month’s update.
According to the findings, some manufacturers may skip one or two patches from monthly security updates. In contrast, according to the researchers, others may miss many more who discuss their findings at the Hack in the Box security conference in Amsterdam on Friday.
It’s one thing for people to fail to update their cellphones with the newest security upgrades, but SRL discovered that some people lie about installing any patches at all.
“We discovered multiple manufacturers who did not install a single patch but advanced the patch date by several months.” SRL creator Karsten Nohl told Wired, “That’s deliberate deception, and it’s not very often.”
According to SRL, Google, Sony, and Samsung did the best among the top smartphone manufacturers, missing up to one patch. OnePlus and Nokia missed one to three patches, HTC, Huawei, LG, and Motorola missed three to four patches, and Chinese manufacturers TCL and ZTE missed more than four.
While many of these missing security fixes may not be dangerous in and of themselves, hackers frequently use several security gaps to accomplish their objective of gaining control of devices and stealing data, and allowing any weaknesses to remain unpatched compromises a device’s overall security.
“To remotely hack a phone, modern operating systems feature multiple security obstacles… all of which must be bypassed.” Because of its complexity, a hacker usually needs more than a few missing updates to exploit an Android device remotely,” the researchers noted.
According to the researchers, state-sponsored actors are more likely to exploit missed patches as part of their attacks using previously unknown methods. While criminals typically rely on social engineering to steal data from users through malicious apps and the like, the researchers say state-sponsored actors are more likely to exploit missed patches as part of their attacks using previously unknown methods.
“We’re working with [SRL] to strengthen their detection algorithms to account for circumstances where a device utilizes an alternate security update instead of the Google suggested security update,” said Scott Roberts, Google’s Android product security lead.
“Security upgrades are one of many levels that Android devices and users are protected by. Security services like Google Play Protect and built-in platform protections like application sandboxing are equally crucial. These layers of security, along with the vast diversity of the Android ecosystem, lead to the researchers’ conclusion that “remote exploitation of Android devices remains difficult.”