Android security: Your phone's patch level says you're up to date, but that may be a lie

Study into missed security updates casts doubt on Google's Android patch level system.
Written by Liam Tung, Contributing Writer

Google has spent the past two years building momentum behind its Android monthly patch level system, but a study has found critical patches that should be on devices displaying a patch level aren't actually present.

The 'hidden patch gap' in Android devices was discovered by researchers Karsten Nohl and Jakob Lell of German security firm Security Research Labs.

Also: The 10 best ways to secure your Android phone

The pair are presenting the results of their two-year analysis of 1,200 Android phones today at the Hack in the Box conference in Amsterdam.

The results, shared with Wired, show that some popular Android devices are missing as many as a dozen patches that users would expect to be there, based on the patch level string displayed in settings in date format.

Google introduced the monthly Android updates in 2016, shortly after the Android-wide Stagefright bugs emerged.

Ever since, it has been pushing the industry to adopt the regular updates as part of an effort to clean up Android's image and improve security. Google usually releases two patch levels each month: one just for Android bugs, and another for bugs in kernel and chipset drivers.

Google reported in its 2017 Android security review that the system had resulted in 30 percent more devices receiving security patches compared with 2016.

But, according to Nohl, some Android manufacturers appear to be gaming the patch level system to falsely improve their image. And, as vendors chalk up security points for non-existent patches, end users are left with a false sense of security.

Ebook download: IT leader's guide to cyberattack recovery

"Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best," he told Wired.

The study looked at all 2017 patches on a range of devices from Google, Sony, Samsung, Wiko, Xiaomi, OnePlus, Nokia, HTC, Huawei, LG, Motorola, TCL, and ZTE. The researchers calculated the average number of missing patches for each patch level over the year for the brands.

Google, Sony, Samsung, and Wiko were missing up to one patch, while Xiaomi, OnePlus, and Nokia were missing between one and three. TCL and ZTE were the worst offenders, missing more than four, while HTC, Huawei, LG, and Motorola were missing between three and four.

But there were some curious outliers in the results, too. A Samsung 2016 J3 with a patch level for the end of 2017 lacked 12 patches issued that year, two of them being critical.

The results also reflect poorly on LG and Motorola, given their early participation in Google's monthly patch program.

A possible source of missing patches is the chipset used in devices and the vulnerabilities specific to it. MediaTek chipsets, which are often used in cheaper handsets, were found to have 9.7 missing patches.

Google pointed out that security updates are just one layer of security that make it hard to actually exploit Android devices. Other protections include app sandboxing, Google Play Protect, and the Android ecosystem's diversity.

Related: What is malware? Everything you need to know about viruses, trojans and malicious software

Nohl agrees that exploiting Android vulnerabilities remains difficult due to these security layers and points out an easier and more common route to compromising Android devices is through the use of malicious apps -- either inside Google Play or outside the store.

Nonetheless, Android users should be able to trust that a patch level string is a truthful reflection of the state of their handset.

"Now that monthly patches are an accepted baseline for many phones, it's time to ask for each monthly update to cover all relevant patches. And it's time to start verifying vendor claims about the security of our devices," SRL writes.

Users who want to monitor the patch state of their device can use SRL's free patch verification app, SnoopSnitch.


Security Research Labs' table shows the average number of missing critical and high-severity patches before the claimed patch date.

Image: Security Research Labs

Previous and related coverage

Android P will stop apps from silently using your phone's camera and mic

Android P gets a privacy boost by preventing backgrounded apps from recording or taking pictures.

BlackBerry CEO says security is key competitive advantage over other Android handsets

At CES 2018, BlackBerry CEO John Chen said the company's phones (now manufactured and sold by TCL) are the most secure Android phones.

Android security triple-whammy: New attack combines phishing, malware, and data theft

Attacks on three fronts ensure attackers have all the information they need to steal banking details in the latest evolution of the Marcher malware, warn researchers.

Google Android: Nearly one in three devices will never get latest security patches

Google details progress on the Android patching problem, but its annual report shows there's still has a long way to go.

Your smartphones are getting more valuable for hackers (CNET)

Security researchers are seeing a shift where attackers would much rather hit your smartphones than your computers.

These Android smartphone OEMs provide the fastest security updates to users (TechRepublic)

Timely security updates continue to be a problem for Android devices. Find out how your manufacturer compares.

Editorial standards