Some Android Phones Are Hiding Missing Security Patches, Researchers Say

We may earn a commission from links on this page.

New phone-security research unveiled by researchers at a German hacking conference this week spells bad news for Android users.

Several top-tier Android phone vendors—Samsung, HTC, and the like—have mislead users into believing security patches have been installed when in fact they have not. That’s according to Security Research Labs (SRL), which announced its findings at the Hack in the Box security conference. SRL’s research involved tests of more than 1,200 phones from more than a dozen manufacturers, according to Wired, which first reported the findings on Thursday.

The researchers described a serious “gap” between patches the phone makers claimed were installed and those actually found on the device.


Android users can typically find software information in options under the “about phone” section, where they’ll see details like the OS version number and the date security patches were installed.

However, as SRL founder Karsten Noh told Wired, “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”


But often, said Noh, the patches may not be issued by mistake. Some Samsung phones, for instance, correctly identified which patches were not installed, while others, including the Samsung’s 2016 J3 phone, lacked 12 of the patches it claimed were installed, including two, according to Wired, which are considered “critical.”

Google, whose flagship phones, the Pixel and Pixel 2, were in far better shape, noted that not all of the phones examined by SRL were Android-certified devices. (You can find out if yours is here.) Google also said that some of the phones lacked features relevant to certain patches, although SRL’s Nohl disputed this was widely the case.