Some Android OEMs are have reportedly been skipping security patches according to a security research firm called Security Research Labs, which mentioned the issue last week on Friday, April 6 at a conference in Amsterdam.
When presented with SRL's findings, Google noted that some of the devices analysed were not Android certified devices, meaning they are not held to Google's standards of security, and also mentioned that modern Android phones usually have security features that make them hard to hack, even when they have unpatched security vulnerabilities. Xiaomi, OnePlus, Nokia jumped as many as three patches. For J5 customers, those who checked the status of their devices' security were aware of which patches were installed and which were not. It was discovered that the smartphones tested have missed or lacked the security patch which the company claims that they have rolled out.
Android phone makers could also potentially "miss a patch or two by accident", according to SRL's Karsten Nohl. Here, I'm talking about regular updates and security patches.
One method used by certain Android phone makers includes changing the date of an earlier patch to deceive users into thinking they have the latest security patch.
SRL has updated its SnoopSnitch Android security app to detect whether a phone has missed security updates.
The report on Wired points out that this "patch gap" is a serious problem where in some cases vendors indicated to users that the phone had all of Android's security patches, when it was missing more than a dozen in reality. The "patch gap" varies between device and manufacturer, but given Google's requirements as listed in the monthly security bulletins-it shouldn't exist at all.
"We found several vendors that didn't install a single patch but changed the patch date forward by several months", Nohl further revealed. The vendor has to primarily depend on the chipmaker to offer a security patch and not the OS.
Google told Wired, "some of the devices SRL analyzed may not have been Android certified devices, meaning they're not held to Google's standards of security".
While criminals typically rely on social engineering to attempt to steal data from users, through malicious apps and the like, state-sponsored actors are more likely to exploit missed patches as part of their attacks using previously unknown methods, the researchers say.
A possible theory for vendors to skip on patches could be attributed to the chipsets they make use of in their devices.
Phones from TCL and ZTE were missing four or more of the advertised security patches. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer.