Latest in Gear

Image credit: Joan Cros Garcia - Corbis via Getty Images

Researchers say some Android phone makers hide missed updates

Samsung and Sony phones are among those with skipped updates.
185 Shares
Share
Tweet
Share
Save

Sponsored Links

Joan Cros Garcia - Corbis via Getty Images

A number of Android phones have a tendency to skip the occasional security patch while making it appear that the device is fully up to date, Wired reports. Researchers with Security Research Labs (SRL) looked into 1,200 phones from manufacturers like Google, Samsung, Sony, Nokia, Huawei, Motorola, LG, HTC, ZTE and TCL and found that there's often a gap between what the phones say have been updated and what patches have actually been installed. "It's small for some devices and pretty significant for others," SRL founder Karsten Nohl told Wired.

Nohl and researcher Jakob Lell found that even companies like Sony and Samsung missed a patch every now and then, but it wasn't consistent across models. For example, Samsung's 2016 J5 accurately reported what was and wasn't installed, but its 2016 J3 said all patches were up to date when 12 weren't actually installed.

While Sony and Samsung phones were found to have missed few patches, on average, devices made by TCL and ZTE had on average four or more missed updates they claimed to have installed. HTC, Huawei, LG and Motorola all had between three and four skipped patches while Xiaomi, OnePlus and Nokia skipped, on average, between one and three security updates. SRL notes that the chips the phones used could be part of the problem. Those with Samsung processors skipped over few patches while models using MediaTek chips missed almost 10 patches, on average. "The lesson is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem," said Nohl.

Due to these findings, SRL has updated its SnoopSnitch app, allowing Android phone users to get an accurate breakdown of which updates have and haven't been installed.

A Google spokesperson sent us the following statement.

"We would like to thank Karsten Nohl and Jakob Kell for their continued efforts to reinforce the security of the Android ecosystem. We're working with them to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update.
Security updates are one of many layers used to protect Android devices and users. Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging."

It's good to keep in mind that while these skipped security updates introduce vulnerabilities, it doesn't mean they have been or can easily be exploited. And patches aren't the only Android security feature -- you can read more about that here.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
185 Shares
Share
Tweet
Share
Save

Popular on Engadget

Google's experimental apps shame you into taming phone addiction

Google's experimental apps shame you into taming phone addiction

View
Sci-fi series 'Altered Carbon' returns to Netflix on February 27th

Sci-fi series 'Altered Carbon' returns to Netflix on February 27th

View
Court overturns patent ruling that would've cost Nintendo $10 million

Court overturns patent ruling that would've cost Nintendo $10 million

View
Amazon offers Black Friday pricing on most Fire tablets

Amazon offers Black Friday pricing on most Fire tablets

View
Studio Ghibli has embraced streaming, and the world is better for it

Studio Ghibli has embraced streaming, and the world is better for it

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr