Android smartphone makers lie about patch releases

Well-known experts from Security Research Labs, Karsten Nohl and Jakob Lell presented an interesting presentation at the Hack In The Box conference. Researchers have found that many major manufacturers of Android devices, including Samsung, Xiaomi, OnePlus, Sony, HTC, LG, ZTE and Huawei, only create the appearance of patch releases, while in fact many bugs remain uncorrected.

The problem of updating Android devices has always been very acute. Currently, Google developers every month release a set of security updates for their OS, and then these patches fall into the hands of manufacturers of numerous devices that must independently adapt the updates for their products and bring them to end users. Unfortunately, market fragmentation is still great, and vendors have different attitudes to their responsibilities. Because of this, many devices do not receive important updates at all.

Nol and Lell, however, found that the already sad state of things actually looks even worse. For two years, experts carefully studied the composition of security updates issued by the largest manufacturers of Android-based devices, and did a great job, having studied over 1200 smartphones. As the study showed, many manufacturers apply tricks during the release of updates. Although they claim that their devices have received all the relevant corrections, this is a lie, because some corrections, for unknown reasons, “drop out” of the lists and as a result do not reach users at all that they cannot even find out about. Experts explain that sometimes some patches do not even get Pixel devices.

Most often, the problem is less widespread. So, on most Sony and Samsung devices, only a couple of updates may be missing, which may be a coincidence. However, in some cases, things are much worse. So, J3 smartphones released by Samsung in 2016 should have all the security updates for 2017, but in fact 12 patches are not enough, and two fixes are critical.