Security researchers have found that Android manufacturers have been engaging in a dangerous game.
In a test of over 1200 phones from a dozen manufacturers, the security firm SRL found that for some phones, several OEMs would tell users that their phones would have all the patches up to, say March 2018 despite that being far from the truth.
“We find that there’s a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others,” Karsten Nohl and Jakob Lell of the firm Security Research Labs said this week. “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
SRL tested phones from OEMs like Samsung, HTC, and even Google. Aside from Google’s Pixel phones, this problem reached all tiers of phones, from low-end cheap phones to high-end smartphones.
“We found several vendors that didn’t install a single patch but changed the patch date forward by several months,” Nohl said,”. “That’s deliberate deception, and it’s not very common.”
This is clearly dangerous, and misleading as users are not correctly educated about which vulnerabilities their devices are exposed to and which ones they are protected from.
In a statement responding to the report, Google told Wired that “Security updates are one of many layers used to protect Android devices and users, Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”