Pierluigi Paganini April 14, 2018

Probably you don’t know that many Android smartphone vendors fail to roll out Google’s security patches and updates exposing the users to severe risks.

Researchers at Security Research Labs (SRL) that the problem also involves major vendors, including HTC, Huawei, and Motorola.

In some cases, manufacturers roll out incomplete security patches leaving the devices vulnerable to cyber attacks.

“Phones now receive monthly security updates. Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks.” reads the blog post published by the SRL team. 

The popular SRL experts Karsten Nohl and Jakob Lell presented the findings of the research at the Hack In The Box security conference in Amsterdam, the Netherlands.

The experts pointed out that that, even if Google is able to install some security patched over-the-air without vendor interaction, in some cases the fixes affect low-level faulty software components, such as drivers and system libraries, and this process needs the involvement of manufacturers.

The experts explained that some Android devices receive only half of the monthly updates, in some cases only from Google and none from the manufacturer.

The following table shows the average number of missing Critical and High severity patches before the claimed patch date (Samples – Few: 5-9; Many: 10-49; Lots: 50)
Experts clarified that some phones are included multiple times with different firmware releases.

Researchers at SRL explained that the only way to discover what is installed on your device is to take a look at what is included in the monthly fixes from Google verify that most important updates are present on the device.

The good news for users is that the failure in patch management is some cases is not enough for an attacker to remotely compromise an Android device and bypass defense mechanisms like Android’s sandbox and ASLR.

“Modern operating systems include several security barriers, for example, ASLR and sandboxing, all of which typically need to be breached to remotely hack a phone.” continues the researchers.

“Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack.”

I suggest you read the research paper for more details.

Pierluigi Paganini

(Security Affairs – Android devices, security patches)

[adrotate banner=”5″]

[adrotate banner=”13″]