Android phone makers are misleading customers with missing security patches

Image WIRED

Image WIRED

For those curious about their own devices, Security Research Labs is releasing an update to its Android app, Snoopsnitch, which checks to ensure your device has been patched as many times as it should have been. On average, these phones had 9.7 missing patches.

While top-tier vendors such as Google, Sony, and Samsung miss no or very few patches, budget Chinese smartphone makers TCL and ZTE failed to install more than four, despite claiming to have fully updated devices, the researchers reported.

Even the brands that seem most attentive and diligent have been found to not fulfill their duty properly, even lying about the level of security patches of the devices.

While criminals typically rely on social engineering to attempt to steal data from users, through malicious apps and the like, state-sponsored actors are more likely to exploit missed patches as part of their attacks using previously unknown methods, the researchers say.

The patch gap issue is not an isolated case.

The differences vary from model to manufacturer but since the patches are indicated in the monthly Security bulletins published by Google, this should not happen under any circumstances. While it agrees that the area needs greater attention, it also points out that some of the devices in the study may not have been Android certified, meaning the standards of security they're held to are different. HTC, Huawei, LG and Motorola missed between 3-4 patches whereas TCL and ZTE missed more than 4 patches.

Brent oil traded at the highest level since 2014
The Saudi-led invasion of Yemen has contributed to oil's geopolitical risk premium, as Houthis target Saudi oil assets. The worldwide benchmark reached as much as $73.09 per barrel - its highest level since November 28, 2014.

Lowe's Companies, Inc. (LOW) In Active Momentum Stock on Profitability Analysis
Taking a wider perspective, shares have been recently trading -20.12% off the 52-week high and 23.02% away from the 52-week low . The home improvement retailer reported $0.74 EPS for the quarter, missing analysts' consensus estimates of $0.87 by ($0.13).

Air New Zealand checks on Rolls-Royce engines spark flight changes
Warren East, chief executive, said the company would do "all we can to to minimise any impact on customers' operations". In March, Rolls said the cash hit from the problem should hit a peak of £340 million in 2018 before falling in 2019.

There is also the possibility that instead of patching through updates, phone makers simply remove or alter the feature that might have caused the security vulnerability. The entry segment devices on the other hand hardly receive any regular security update let alone the OS updates.

Every now and then Android comes with its new updates or patches that is said to secure your smartphone.

Our binary-only analysis technique applies to Android and many other domains where patch levels need to be measured without access to source code.

Further complicating the matter is the pure inconsistency of which devices get what quality of treatment: the Galaxy J5 (2016) honestly told consumers about its hit-and-miss patch record while the Galaxy J3 (2016) claimed to have every patch it received, but actually lacked 12 of them - two of them were of "critical" importance. Security updates are one of many layers used to protect Android devices and users. Besides manufacturers, SRL said some chip makers are to blame.

When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them hard to hack, even when they have unpatched security vulnerabilities.

Latest News