Some Android OEMs discovered to be lying about security patches [Update]
Update, April 13: Google has given the following statement to the Verge:
Missed patches certainly make your phone more vulnerable compared to those that are up-to-date, but even so, that doesn't mean you're entirely unprotected. Monthly patches definitely help, but there are general measures in place to ensure that all Android phones have some level of enhanced security.
Once a month, Google updates the Android Security Bulletin and releases new monthly patches to fix vulnerabilities and bugs as soon as they pop up. It's no secret that many OEMs are slow to update their hardware with said patches, but it's now been discovered that some of them claim to have updated their phones when, in fact, nothing's changed at all.
This revelation was made by Karsten Nohl and Jakob Lell from Security Research Labs, and their findings were recently presented at this year's Hack in the Box security conference in Amsterdam. Nohl and Lell examined the software of 1200 Android phones from Google, Samsung, OnePlus, ZTE, and others, and upon doing so, found that some of these companies change the security patch appearance when updating their phones without actually installing them.
Some of the missed patches are expected to be made on accident, but Nohl and Lell came across certain phones where things just didn't add up. For example, while Samsung's Galaxy J5 from 2016 accurately listed the patches it had, the J3 from the same year appeared to have every single patch since 2017 despite missing 12 of them.
The research also revealed that the type of processor used in a phone can have an impact on whether or not it gets updated with a security patch. Devices with Samsung's Exynos chips were found to have very few skipped patches, whereas those with MediaTek ones averaged out with 9.7 missing patches.
After running through all of the phones in their testing, Nohl and Lell created a chart outlining how many patches OEMs missed but still claimed to have installed. Companies like Sony and Samsung only missed between 0 and 1, but TCL and ZTE were found to be skipping 4 or more.
Be an expert in 5 minutes
Get the latest news from Android Central, your trusted companion in the world of Android
- 0-1 missed patches (Google, Sony, Samsung, Wiko)
- 1-3 missed patches (Xiaomi, OnePlus, Nokia)
- 3-4 missed patches (HTC, Huawei, LG, Motorola)
- 4+ missed patches (TCL, ZTE)
Shortly after these findings were announced, Google said that it'd be launching investigations into each of the guilty OEMs to find out what exactly's going on and why users are being lied to about which patches they do and don't have.
Even with that said, what's your take on this? Are you surprised by the news, and will this have an impact on the phones you buy going forward? Sound off in the comments below.
Joe Maring was a Senior Editor for Android Central between 2017 and 2021. You can reach him on Twitter at @JoeMaring1.