HomeWinBuzzer NewsAndroid OEMs are Faking Security Patches and Fooling Users

Android OEMs are Faking Security Patches and Fooling Users

Leading Android OEMs like Samsung and HTC are moving forward the dates of security patches, but not issuing any updates.


has often struggled with maintaining the security of its platform. This is mostly because the platform is customized extensively by OEMs and carriers. While these OEMs send out regular security patches, a new study has found those rollouts are fake.

Security firm SRL studied 1200 from 12 OEMs and found many are telling users they are fully secure (up to March 2018), when in fact that's not true. Indeed, the research shows Android manufacturers are faking updates.

“We find that there's a gap between patching claims and the actual patches installed on a device. It's small for some devices and pretty significant for others,” Karsten Nohl and Jakob Lell of the firm Security Research Labs said this week.

“Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best.”

SRL tested devices from some of Android's leading OEM's, such as HTC, , and Google. The only devices without issues with accurate patch reporting were Google's own Pixel devices. That makes sense as those smartphones comes with Android and receive Google's own security fixes.

As for the other leading manufacturers, devices are not up to date, whether in the low-end of flagship class.

“We found several vendors that didn't install a single patch but changed the patch date forward by several months,” Nohl said. “That's deliberate deception, and it's not very common.”

Tricking Customers

In other words, OEMs are fooling customers into believing their handset is secure. They are doing this by moving forward the update dates without actually issuing a patch. Google has often said Android at its core is secure, but it can't control what happens to the open platform when it moves to OEMs.

In a statement to Wired, the company says there are other protections aside from updates, but failed to actually address the problem.

“Security updates are one of many layers used to protect Android devices and users, Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging.”

Luke Jones
Luke Jones
Luke has been writing about all things tech for more than five years. He is following Microsoft closely to bring you the latest news about Windows, Office, Azure, Skype, HoloLens and all the rest of their products.

Recent News