Some Android Phones Are Hiding Missing Security Patches, Researchers Say

Photo: Getty

New phone-security research unveiled by researchers at a German hacking conference this week spells bad news for Android users.

Several top-tier Android phone vendors—Samsung, HTC, and the like—have mislead users into believing security patches have been installed when in fact they have not. That’s according to Security Research Labs (SRL), which announced its findings at the Hack in the Box security conference. SRL’s research involved tests of more than 1,200 phones from more than a dozen manufacturers, according to Wired, which first reported the findings on Thursday.

Advertisement

The researchers described a serious “gap” between patches the phone makers claimed were installed and those actually found on the device.

Android users can typically find software information in options under the “about phone” section, where they’ll see details like the OS version number and the date security patches were installed.

However, as SRL founder Karsten Noh told Wired, “Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”

But often, said Noh, the patches may not be issued by mistake. Some Samsung phones, for instance, correctly identified which patches were not installed, while others, including the Samsung’s 2016 J3 phone, lacked 12 of the patches it claimed were installed, including two, according to Wired, which are considered “critical.”

Advertisement

Google, whose flagship phones, the Pixel and Pixel 2, were in far better shape, noted that not all of the phones examined by SRL were Android-certified devices. (You can find out if yours is here.) Google also said that some of the phones lacked features relevant to certain patches, although SRL’s Nohl disputed this was widely the case.

[WIRED]

Advertisement

Share This Story

Get our newsletter

About the author

Dell Cameron

Privacy, security, tech policy | Got a tip? Email: dell@gizmodo.com | Send me encrypted texts using Signal: (202)556-0846

EmailTwitterPosts
PGP Fingerprint: A70D 517E FB9A 02C9 C56E 86D5 877E 64E7 10DF A8AEPGP Key
OTR Fingerprint: 2374A8EA 6D2B7712 0D82D659 C0FE8253 A3F080FD