Some Android Vendors Are Missing Security Patches And Lying About It By Simply Changing Dates
While we already know that the world of security updates is a very murky one when it comes to Android devices, it seems that things may actually be worse than first feared.
While it is very difficult for phone makers to keep on top of all of the security releases that come out of Google, according to a new report by Wired, a number of them are simply lying about whether they are up to date or not, potentially leaving devices unprotected when users believe that they are safe and sound.
The Wired article outlines data collected by Security Research Lab researchers who spent two years observing the Android security landscape, with their findings set to be presented during an event in Amsterdam.
For those unaware, Google releases monthly security patches for Android and even makes it easy for users to see to which extent their current device is patched or, more likely, not patched. A section in the device’s Settings app shows the security patching level for all to see, and it’s this that the researchers have been checking. Does the level of patching described in the Settings app match the level of patching actually applied? As it turns out, that’s not always the case.
The SRL researches tested around 12,000 devices from a dozen of the most popular Android device manufacturers throughout last year. Those phones came from big names including Samsung, Motorola, HTC and, of course, Google. According to the data collected, “patch gaps” were often evident whereby devices showed a specific date to which they were supposedly patched while there were “as many as a dozen” of the patches from that particular update actually missing.
While Google’s Pixel 2 was understandably patched and up-to-date, devices from the likes of Samsung and Sony were not so lucky. In fact, several vendors reportedly “didn’t install a single patch but changed the patch date forward by several months.” That’s alarming to learn, especially if you thought your Android device was secure.
While it is posited that the discrepancy is entirely accidental on the part of phone makers, partly simply due to the volume of patches released, that is unlikely to be of any comfort to anyone already concerned about the security of their device in a world where Android malware is much more common than we would like.