- Garry Knight/Flickr (CC)
- Some Android phone makers have been caught actively deceiving their customers about the security of their smartphones.
- A security research company says certain Android phone makers just change the date of older updates to trick users into thinking they have the latest security patches.
- The phone makers in question aren’t specifically revealed by the research company or Wired, which first reported the findings.
- Google’s Pixel devices are the only ones that contained every security patch that it advertised to its users.
An undisclosed list of Android phone makers have been actively deceiving customers about their devices’ security against malware and hacking vulnerabilities, according to Wired, which spoke with researchers at the Security Research Lab (SRL) based in Germany.
According to the report, some Android phone makers tell users via the update information within their devices’ settings that the latest security patches are installed on their devices when, in fact, they aren’t.
One method used by certain Android phone makers includes changing the date of an earlier patch to deceive users into thinking they have the latest security patch. As a result, users are led into a false sense of security.
SRL’s Karsten Nohl told Wired “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”
In other cases when Android phone manufacturers don’t employ the patch date manipulation described above, SRL suggests those manufacturers simply neglect to update their devices and don’t try to hide it.
Android phone makers could also potentially “miss a patch or two by accident,” according to SRL’s Karsten Nohl.
SRL and Wired didn’t mention exactly which Android phone makers employ this tactic. Samsung was singled out in Wired’s report, but it wasn’t clear from the report whether Samsung specifically employed the patch date manipulation method described above.
SRL found that Samsung’s budget J3 smartphone claimed to have every security patch from 2017 installed, but it was actually missing 12 of the patches released during that year.
Conversely, SRL also found that Samsung’s mid-range J5 device contained all the advertised security patches. The J5 did miss some security patches from 2017, but it didn’t advertise that they were installed. For J5 customers, those who checked the status of their devices’ security were aware of which patches were installed and which were not.
SRL tested 1,200 devices from over a dozen Android smartphone makers and found that Google smartphones were the only ones that contained all the security patches that were advertized in software updates released in 2017. Google confirmed to Business Insider that its Pixel devices, including the original Pixel and Pixel 2, contain all the advertised security patches.
Indeed, Google is the source of Android’s security patches. It’s up to third parties, including smartphone manufacturer and network carriers, to supply Google’s Android updates to their devices. Still, Google has some work to do to get third-parties in line. After all, many associate Android directly with Google rather than the third parties.
Security patches on third-party devices has been an ongoing issue for Google and its Android operating system. Factors like the huge number of Android devices with different hardware and features, as well as compliance with network carriers, often causes third-party Android makers to roll out patches and updates months after Google releases an update, if at all.
According to SRL and Wired:
Phones from Samsung, Sony, and Wiko, on average, were missing zero to one of the security patches advertised in updates from 2017.
Phones from Xiaomi, OnePlus, and Nokia were missing one to three of the advertised security patches.
Phones from HTC, Huawei, LG, and Motorola were missing three to four of advertised security patches.
Phones from TCL and ZTE were missing four or more of the advertised security patches.
Business Insider requested comment from all the Android phone makers in Wired’s story, including Samsung, Sony, Wiko, Xiaomi, OnePlus, Nokia, HTC, Huawei, LG, Motorola, TCL, and ZTE. Business Insider has yet to hear back from all of them, save for Google, which provided this statement to Business Insider:
“We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We’re working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update. Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers’ conclusions that remote exploitation of Android devices remains challenging.”