Some Android OEMs discovered to be lying about security patches [Update]

Hide your keys, hide your phone
Hide your keys, hide your phone (Image credit: Android Central)

Update, April 13: Google has given the following statement to the Verge:

We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging.

Missed patches certainly make your phone more vulnerable compared to those that are up-to-date, but even so, that doesn't mean you're entirely unprotected. Monthly patches definitely help, but there are general measures in place to ensure that all Android phones have some level of enhanced security.

Once a month, Google updates the Android Security Bulletin and releases new monthly patches to fix vulnerabilities and bugs as soon as they pop up. It's no secret that many OEMs are slow to update their hardware with said patches, but it's now been discovered that some of them claim to have updated their phones when, in fact, nothing's changed at all.

This revelation was made by Karsten Nohl and Jakob Lell from Security Research Labs, and their findings were recently presented at this year's Hack in the Box security conference in Amsterdam. Nohl and Lell examined the software of 1200 Android phones from Google, Samsung, OnePlus, ZTE, and others, and upon doing so, found that some of these companies change the security patch appearance when updating their phones without actually installing them.

Samsung's Galaxy J3 from 2016 claimed to have 12 patches that simply weren't installed on the phone.

Some of the missed patches are expected to be made on accident, but Nohl and Lell came across certain phones where things just didn't add up. For example, while Samsung's Galaxy J5 from 2016 accurately listed the patches it had, the J3 from the same year appeared to have every single patch since 2017 despite missing 12 of them.

The research also revealed that the type of processor used in a phone can have an impact on whether or not it gets updated with a security patch. Devices with Samsung's Exynos chips were found to have very few skipped patches, whereas those with MediaTek ones averaged out with 9.7 missing patches.

After running through all of the phones in their testing, Nohl and Lell created a chart outlining how many patches OEMs missed but still claimed to have installed. Companies like Sony and Samsung only missed between 0 and 1, but TCL and ZTE were found to be skipping 4 or more.

  • 0-1 missed patches (Google, Sony, Samsung, Wiko)
  • 1-3 missed patches (Xiaomi, OnePlus, Nokia)
  • 3-4 missed patches (HTC, Huawei, LG, Motorola)
  • 4+ missed patches (TCL, ZTE)

Shortly after these findings were announced, Google said that it'd be launching investigations into each of the guilty OEMs to find out what exactly's going on and why users are being lied to about which patches they do and don't have.

Even with that said, what's your take on this? Are you surprised by the news, and will this have an impact on the phones you buy going forward? Sound off in the comments below.

Why I'm still using a BlackBerry KEYone in Spring 2018

Joe Maring

Joe Maring was a Senior Editor for Android Central between 2017 and 2021. You can reach him on Twitter at @JoeMaring1.