Nohl and researcher Jakob Lell found that even companies like Sony and Samsung missed a patch every now and then, but it wasn't consistent across models. For example, Samsung's 2016 J5 accurately reported what was and wasn't installed, but its 2016 J3 said all patches were up to date when 12 weren't actually installed.
While Sony and Samsung phones were found to have missed few patches, on average, devices made by TCL and ZTE had on average four or more missed updates they claimed to have installed. HTC, Huawei, LG and Motorola all had between three and four skipped patches while Xiaomi, OnePlus and Nokia skipped, on average, between one and three security updates. SRL notes that the chips the phones used could be part of the problem. Those with Samsung processors skipped over few patches while models using MediaTek chips missed almost 10 patches, on average. "The lesson is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem," said Nohl.
Due to these findings, SRL has updated its SnoopSnitch app, allowing Android phone users to get an accurate breakdown of which updates have and haven't been installed.
A Google spokesperson sent us the following statement.
"We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update.
Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging."
It's good to keep in mind that while these skipped security updates introduce vulnerabilities, it doesn't mean they have been or can easily be exploited. And patches aren't the only Android security feature -- you can read more about that here.