Story image

Android device vendors dragging the chain on patch updates

16 Apr 2018

Despite being one of the most popular mobile operating systems in the world, it seems device vendors are dragging the chain on Android patching.

According to a blog from Security Research Labs, one of the core functions of keeping Android devices secure is regular patch updates – particularly when there are more than two billion devices currently running Android.

The company says that users should start asking their device vendor for monthly updates to cover all relevant patches, and it’s time that users to start verifying vendors’ claims about the security of their devices.

2016 statistics from Duo claim that only 17% of devices were operating on a recent patch level.

Although some device vendors have been providing regular patches, they haven’t been including all of the relevant ones.

While 60% of Android devices were able to receive the monthly security patch in 2016, only 25% were running the latest patch, the research found.

Security Research Labs claims that TCL, Oppo and ZTE vendors have at least four or more missed patches designated as critical or high severity. On the other end of the scale, Google, Samsung Song, ZUK, KeEco, BQ and ZUK each have fewer than one missed patch.

Other vendors including Xiaomi, Nokia, Motorola, Honor, HTC, Asus, LG, Huawei, and Lenovo all missed between 1-4 patches.

However, the research doesn’t mean the statistics are conclusive. The company is quick to point out that not all patch tests are conclusive, not all patches were included in the test, and a missing patch does not necessarily mean a vulnerability could be exploited.

The company expands on the point that missing patches are not enough for an attacker to remotely compromise an Android device. An attack must chain together several bugs to be successful.

“The criminal ecosystem seems to understand the challenges in hacking Android phones. Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year,” the blog says.

However, as Android continues to dominate devices, hacking incentives will only get stronger. State-sponsored actors and persistent hackers will rely on zero-day vulnerabilities, as well as known bugs.

Device vendors must continue to fight back and keep devices secure, Security Research Labs says.

:No single defence layer can withstand large hacking incentives for very long, prompting ‘defence in depth’ approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android.”

WeRide demonstrates pre-commercial level 4 autonomous driving solutions
“Our demonstration of the Nissan LEAF 2 is a significant step forward in showing that WeRide can help bring reliable, safe autonomous vehicles to market."
IDC: Innovative wearable use cases drive double-digit growth
Wristbands are set to lose their dominance as hearables and industrial applications keep the wearables market moving forward.
Turtle Beach buys ROCCAT, bringing more 'victories to gamers'
Germany-based Roccat already has a significant presence in Europe and Asia, which means Turtle Beach will likely take advantage of that growth. Expect to see more Turtle Beach products on the shelves. 
NVIDIA introduces a new breed of high-performance workstations
“Data science is one of the fastest growing fields of computer science and impacts every industry."
Apple says its new iMacs are "pretty freaking powerful"
The company has chosen the tagline “Pretty. Freaking powerful” as the tagline – and it’s not too hard to see why.
Cloud providers increasingly jumping into gaming market
Aa number of major cloud service providers are uniquely placed to capitalise on the lucrative cloud gaming market.
NZ ISPs issue open letter to social media giants to discuss censorship
Content sharing platforms have a duty of care to proactively monitor for harmful content, act expeditiously to remove content which is flagged to them as illegal.
Partnership brings AI maths tutor to NZ schools
“AMY can understand why students make a mistake, and then teach them what they need straight away so they don't get stuck."