Android OEMs Duping Security Patches

Android OEMs Duping Security Patches
A research firm in Germany tested over 1,200 Android handsets and found many of them crediting security patches that were never rolled out.

(CCM) — Researchers working at Security Research Labs (SRL), a security firm based in Germany, has found that Android phone manufacturers have been fooling their customers about security patches. The extensive research carried out by the firm suggests that companies like Google, HTC, Samsung, Sony, Motorola, ZTE, TCL, and others have been skipping select Android security patch updates, even though the devices show them as installed.

SRL based its research on the firmware on 1,200 Android handsets and checked for every patch rolled out in 2017. SRL founder Karsten Nohl has said that it is possible that some manufacturers may have accidentally missed a security patch. However, the fact that Samsung J3 (2016) claimed to have installed every Android patch in 2017, when it missed over 12 security updates, is alarming. These updates even include ones that were considered critical for device safety.

Currently, Google is working with the researchers at SRL to dig deeper into the research findings. SRL researchers Nohl and Jakob Lell will also present their study at the Hack in the Box security conference in Amsterdam today. The research firm has also launched a tool called SnoopSnitch on the Play store to analyze a phone’s firmware for missed or installed security updates.

Image: © Asif Islam -