Is your smartphone lying to you about having the latest Android security updates?
If you thought your Android phone was patched with all of the latest security updates, it might be time to think again. A report by Security Research Labs found that some phone manufacturers were not only failing to deliver security updates, but were hiding this fact from users.
The company found that some devices suffered a "patch gap" whereby manufacturers altered the date reported to Android -- and users -- about when security updates were last installed, without actually installing any patches.
- Discover the best apps and games with Google's Android Excellence April 2018 update
- Google Play Instant lets you stream Android apps and games to try them out
- Here's what's new in Android P
Speaking at the Hack in the Box security conference in Amsterdam, Karsten Nohl and Jakob Lell from Security Research Labs gave details of their findings after two years of research. The pair had reverse engineered code on hundreds of Android phones, and found that many were vulnerable to hacking despite claims of being fully patched and secure.
Explaining the findings, Nohl said:
We find that there's a gap between patching claims and the actual patches installed on a device. It's small for some devices and pretty significant for others. Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.
As reported by Wired, SRL tested phones from big name companies, the likes of Samsung and HTC, as well those from smaller companies. While the problem was found to be worse with the "lower-tier manufacturers", the misreporting of security updates was also found in more expensive, well-known handsets.
While Nohl says that it was possible that manufacturers accidentally missed a patch or two, this was certainly not the case in every instance of misreporting. "We found several vendors that didn't install a single patch but changed the patch date forward by several months. That's deliberate deception, " says Nohl.
An update to SRL's free SnoopSnitch app will make it possible for people to check the real state of security updates on their phones.