A large number of Android manufacturers (OEMs) are skipping security patches but are lying to users about it, according to the team at Security Research Lab (SRL), a Berlin-based cyber-security firm.
Google releases Android security patches each month in the form of the Android Security Bulletin. The OS maker releases the security bulletin to OEMs and chipset providers, and each add their own updates, depending on the Android OS variation that ships with each smartphone.
Every time any of these updated OS versions reaches a user's device, the update also increments the "Android security patch level" in the phone's settings section to the respective month and year of the Google Android security bulletin they have implemented patches for.
But speaking today at the HackInTheBox security conference in Amsterdam, Holland, SRL researchers said that many OEMs are lying about these patches.
For the past two years, SRL researchers Karsten Nohl and Jakob Lell have analyzed the content of the security updates delivered by today's biggest Android OEMs.
The two discovered that some OEM vendors claim to deliver up-to-date security updates, but many skip installing some patches on users' devices, for unknown reasons.
"Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks," the SRL team said today in a blog post accompanying their HackInTheBox presentation slides.
Some device vendors are worse than others, skipping four or more patches, but claiming to have up-to-date devices.
According to Nohl and Lell, one reason for the tardiness or gap in patch delivery may be the chipset (CPU) providers, where researchers noticed that one specific company —Mediatek— was often lagging 9-10 patches behind.
This, in turn, created a bottleneck for many OEM providers, who were ready to ship the Android OS-specific patches, but did not have the firmware-related fixes from the chip vendor.
Because these hardware-level fixes are accounted for in the Android security bulletins, this created situations where OEMs delivered updates claiming to have a "security patch level" but they were actually missing some of the patches for that "level."
But not all missing patches can be attributed to lazy chipset vendors, and in some cases, the missing patches were specific to the OEM slacking off.
The SRL team has released an app on the Google Play Store named SnoopSnitch that helps users analyze their own device and tells them what patches are missing and if their device is truly up-to-date as the "security patch level" may say in the settings section.
Image credits: Claudia Rahanmetan, Security Research Labs