Android OEMs caught lying about security patches

Android OEMs caught lying about security patches

According to the team of security experts at the Research Lab (SRL), a Berlin-based cybersecurity firm, a large number of Android manufacturers or OEMs are skipping security patches but are lying to Android users about it.

In the form of the Android Security Bulletin, Google releases security patches for Android each month. The tech giant releases the Android security bulletin to Android manufacturers or OEMs as well as to chipset providers and each one of them adds their own updates which depend on the variation of the Android operating system that ships with each Android device.

The update increments the “Android security patch level” each time any of these update OS version reaches a user’s Android device in their device’s settings section to the respective month and year of the Google Android security bulletin which they have released the patches for.

However, it turns out that some OEMs are slacking off as the SRL researchers were found to be lying about these patches in a speaking at the HackInTheBox security conference conducted in Amsterdam, Holland a few days ago.

Karsten Nohl and Jakob Lell, SRL researchers, have analyzed the content of the security updates for the past two years as well as the one that is delivered today by the biggest Android OEMs.

In this recent issue, these two researchers discovered that some of the well-known OEM vendors claim to deliver security updates but it turns out that a lot of them skip on installing some of the patches on users’ devices for reasons that are not known.

“Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks,” stated today by the SRL team in a blog post along with the presentation slides in HackInTheBox.

Some of the OEM vendors are even much worse than others, Mediatek specifically, as it was often lagging 9-10 patches behind security updates. As a result, it created a traffic jam for a bunch of OEM providers who were already in the wait to ship the patches for Android OS but didn’t have the firmware-related fixes from the chip vendor.

Since these hardware-level fixes are responsible for the Android security bulletins, it has given rise to situations where OEMs delivered security updates that claim to have a “security patch level” when they actually lack some of the patches for that level. Nevertheless, not all the missing patches can be accounted to the lazy chipset vendors as the missing security patches were specific to the OEM slacking off in some cases. Because of this commotion, the SRL researchers released an app in the Google Play Store called “SnoopSnitch”. This app helps users analyze their Android devices and helps them identify what patches are missing. It also tells them if their device is really updated or not as the “security patch level” may say in the settings section of their Android device.