Leave a comment

Android OEMs Duping Security Patches

Android OEMs Duping Security Patches
A research firm in Germany tested over 1,200 Android handsets and found many of them crediting security patches that were never rolled out.

(CCM) — Researchers working at Security Research Labs (SRL), a security firm based in Germany, has found that Android phone manufacturers have been fooling their customers about security patches. The extensive research carried out by the firm suggests that companies like Google, HTC, Samsung, Sony, Motorola, ZTE, TCL, and others have been skipping select Android security patch updates, even though the devices show them as installed.

SRL based its research on the firmware on 1,200 Android handsets and checked for every patch rolled out in 2017. SRL founder Karsten Nohl has said that it is possible that some manufacturers may have accidentally missed a security patch. However, the fact that Samsung J3 (2016) claimed to have installed every Android patch in 2017, when it missed over 12 security updates, is alarming. These updates even include ones that were considered critical for device safety.

Currently, Google is working with the researchers at SRL to dig deeper into the research findings. SRL researchers Nohl and Jakob Lell will also present their study at the Hack in the Box security conference in Amsterdam today. The research firm has also launched a tool called SnoopSnitch on the Play store to analyze a phone’s firmware for missed or installed security updates.

Image: © Asif Islam - Shutterstock.com
Add comment Comment
Registration date
Saturday April 14, 2018
Last seen
April 14, 2018

Yes, thank you very much (so true)! For years and years, Android device manufacturers have been consistently horrible at supplying updates.

This is, also, including critical patches even when something big happens, such as BlueBorne:

So, for example, I had purchased the Lenovo Vibe C2 (K10_a40) and the last (Global, "ROW") ROM for it was (the same as what the phone came with, originally, believe it or not):

OTA Update (Over the Air) has only offered:

& totally by chance I've been able to find an update:

... However, Lenovo does NOT provide an official flash tool, to update the phone software. Their KIES program will only accept whatever update is available as the OTA update, the same as what is built into the phone. As if they're trying to make life difficult for the customer. :/

The extra patch /firmware which I'd been able to find is: "March 5, 2017 Android security patch level", which means that my device will FOREVER stay vulnerable to the Bluetooth exploit as it was discovered on September 12, 2017.

This is confirmed by taking a look at the Lenovo Android Upgrade Matrix @

While we're on the topic, might as well check your device as Wikipedia says: "In 2017, BlueBorne was estimated to potentially affect over 8.2 billion devices worldwide", https://en.wikipedia.org/wiki/BlueBorne_(security_vulnerability)

Subscribe To Our Newsletter!

The Best of CCM in Your Inbox

Subscribe To Our Newsletter!