Android vendors like to say that their smartphones are routinely updated with the latest security patches. (19659002) SecurityWatch "border =" 0 "class =" left "src =" https://assets.pcmag.com/media/images/438503-securitywatch.jpg?thumb=y&width=980&height=85 "/>  New safety research outside Germany has revealed that most Android vendors mistakenly tell customers that their phones are running the latest updates, and in fact, their firmware upgrades may cause some critical patches to be skipped accidentally.
The findings come from Karsten Nohl and Jakob Lell from Security Research Labs in Berlin, who have examined 1
It is already known that Android smartphones have the latest updates weeks or mon ate received after the official publication by Google. In some cases a phone will not receive it at all. A big reason, why is the Android ecosystem; It is spreading across a whole host of manufacturers and mobile operators, each of which is optimizing the Android operating system to make their phones unique.
Nohl and Lell have decided to investigate phones that are said to have received and installed the latest Android updates. In particular, they focused on patches of critical or serious bugs released in 2017 and on whether vendors really executed them.
The two researchers have published a summary of their findings. The Chinese manufacturers TCL and ZTE were among the biggest culprits and had on average more than 4 patches in their phones.
However, the devices with the most severe problems were those built with processors from Taiwan's MediaTek. On average, these phones had 9.7 missing patches.
In an interview on Thursday, Nohl said that the patching problem is due to the sheer "complexity" of the Android ecosystem and a lack of quality control. Every time Google introduces a software update, chipset manufacturers like Qualcomm and MediaTek test it, make adjustments, and then distribute the software to Android smartphone manufacturers for integration. However, these vendors also need to test the Android software on multiple devices
A security patch may be lost throughout the process, Nohl said. "Sellers generally make a real effort, but things can be forgotten, skipped, or the seller will want to do it later," he said.
Ironically, the security industry could have compounded the problem. "A few years ago, our community put pressure on publishers to release patches every month," Nohl said. "But the Android ecosystem is so complex."
Samsung, for example, has hundreds of different phone models that can be sold all over the world. According to Nohl, the Korean supplier generally had a strong track record in software updates, but the ball fell on his Samsung J3 handset, which lacked 12 patches.
"If you only have one month to patch, you can not do much Check quality, "he said.
Printing on patch can also be incentives for providers to lie. Nohl has seen a few cases where a vendor has attempted to deceive consumers about the security of their phone. His research was actually started when his company complained to a manufacturer about missing patches on a customer's smartphone.
"In response to our complaint, the manufacturer changed the (software) date a year later," Nohl said. "That made us realize that the date is not associated with any evidence."
Nohl declined to mention the seller, but he tried to hold smartphone manufacturers to account. He pointed to the French seller behind the Wiko Freddy, a smartphone that lacked 80 patches. "When they became aware, they came around," said Nohl.
The good news is that Nohl and his company have come up with a solution. On Thursday, his company released an updated version of an app that can tell you if any patches are missing on your smartphone. Data from this app can then be shared with device manufacturers in the hope that the issues will be resolved.
In the meantime, owners of affected smartphones should not panic if they notice a missing software update. "Skipping a single patch usually does not pose a risk," Nohl said. Often, hacking an Android device involves exploiting a chain of software bugs, not just one. Most Android malware can also be avoided by being careful about what you download; For example, cybercriminals like to deliver the malicious code over reputable-looking apps by uploading them to third-party app stores.
Still, every patch on an Android smartphone is like a protective layer. The less you have, the more vulnerable your device can be to certain attacks, Nohl said.
In response to his research, Google agreed that using an Android phone is "challenging" even without the latest security patches. The company continues to expand the Android operating system with new security mechanisms that can isolate and detect malicious code before it takes hold.
In addition, Google is working to improve Nohl's app so that Android phones can be identified with "alternative security updates." The company says it may have gone undetected by its research. "
MediaTek said the company took security and privacy seriously, but had no opportunity to review Nohl's research. He and his colleague Jakob Lell are planning to present their results on Friday at a security conference.