Android update screen

A large number of Android manufacturers (OEMs) are skipping security patches but are lying to users about it, according to the team at Security Research Lab (SRL), a Berlin-based cyber-security firm.

Google releases Android security patches each month in the form of the Android Security Bulletin. The OS maker releases the security bulletin to OEMs and chipset providers, and each add their own updates, depending on the Android OS variation that ships with each smartphone.

Every time any of these updated OS versions reaches a user's device, the update also increments the "Android security patch level" in the phone's settings section to the respective month and year of the Google Android security bulletin they have implemented patches for.

Some OEMs are slacking off

But speaking today at the HackInTheBox security conference in Amsterdam, Holland, SRL researchers said that many OEMs are lying about these patches.

For the past two years, SRL researchers Karsten Nohl and Jakob Lell have analyzed the content of the security updates delivered by today's biggest Android OEMs.

The two discovered that some OEM vendors claim to deliver up-to-date security updates, but many skip installing some patches on users' devices, for unknown reasons.

"Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks," the SRL team said today in a blog post accompanying their HackInTheBox presentation slides.

Some device vendors are worse than others, skipping four or more patches, but claiming to have up-to-date devices.

SRL table missed patches

Some chipset vendors are also to blame for the patch gap

According to Nohl and Lell, one reason for the tardiness or gap in patch delivery may be the chipset (CPU) providers, where researchers noticed that one specific company —Mediatek— was often lagging 9-10 patches behind.

This, in turn, created a bottleneck for many OEM providers, who were ready to ship the Android OS-specific patches, but did not have the firmware-related fixes from the chip vendor.

Because these hardware-level fixes are accounted for in the Android security bulletins, this created situations where OEMs delivered updates claiming to have a "security patch level" but they were actually missing some of the patches for that "level."

But not all missing patches can be attributed to lazy chipset vendors, and in some cases, the missing patches were specific to the OEM slacking off.

The SRL team has released an app on the Google Play Store named SnoopSnitch that helps users analyze their own device and tells them what patches are missing and if their device is truly up-to-date as the "security patch level" may say in the settings section.

SnoopSnitch app

Image credits: Claudia Rahanmetan, Security Research Labs

Related Articles:

Google’s Android Apps Are No Longer Free for European Smartphone Makers

Android Malware Tricks User to Log into PayPal to Steal Funds

Google Maps Users are Receiving Notification Spam and No One Knows Why

iSH - An iOS Linux Shell for Your iPhone or iPad

Adobe Flash Player Update Released for Remote Code Execution Vulnerability