Some Android manufacturers lie to customers about installing security updates

Your Android phone may not be as secure as you think it is. According to a recent report from German security firm Security Research Labs, which was first picked up by Wired, not only do many Android manufacturers not always keep up to date with Android security updates, but they actually lie to customers by telling them that their device has the latest patch installed.

It’s troubling news. In recent years, it appeared Android manufacturers were getting better at ensuring that their devices are safe and up to date — but it seems that may not be the case after all.

The researchers — Karsten Nohl and Jakob Lell — spent two years analyzing Android devices and checking their code to see if the manufacturers had actually installed the updates, or if they were instead simply claiming that they were up to date. What they found was that many devices had what they called a “patch gap,” where the phone’s software claimed the phones were up to date, but the code proved that often dozens of patches had simply been skipped.

Even worse is the fact that the lying seems to be a pretty common practice. The team tested firmware from a hefty 1,200 phones from the likes of Google, Samsung, HTC, Motorola, ZTE, and TCL, and found that even major releases from massive companies like Samsung occasionally skipped a security patch.

Some manufacturers were worse than others. While the likes of Sony and Samsung only skipped one or no security updates, Xiaomi, OnePlus, and Nokia skipped up to three. HTC, Huawei, LG, and Motorola skipped up to four, and TCL and ZTE skipped more than four. Phones built by Google did not skip security updates. According to SRL, the skipped patches could also be related to the chipset used by the phone. According to the company, phones with Samsung-built chips had very few skipped patches, while phones with MediaTek chipsets skipped a whopping 9.7 patches on average. This may be because bugs are found in the chip rather than the operating system, and the manufacturer then depends on the maker of the chipset to patch those bugs before a security update can be installed.

According to Google, which gave a statement to Wired for the report, one cause for the skipped updates could be that some devices are uncertified, meaning that they’re not held to the same security standard. On top of that, skipping patches could be because of a specific phone not offering the feature that needs to be patched in the first place.

Of course, it really doesn’t matter why manufacturers are skipping updates — what matters is that even when updates are skipped, the software still claims that the phone is up to date when it isn’t. In reality, it’s still extremely hard to hack an Android phone, and there are plenty of other security measures in place to prevent an attack — but the fact is that smartphone manufacturers are lying.