ZTE and TCL appear to be among the worst offenders, while Google, Samsung and Sony are the best at patching. Researchers Karsten Nohl and Jakob Lell from Security Research Labs have spent the past two years reverse-engineering hundreds of Android devices in order to check if devices are really secure against the threats that they claim they are secure against. They have examined about 1,200 firmware samples taken from various smartphones which are sourced to various vendors. "Sometimes these guys just change the date without installing any patches". "The lesson is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem", said Nohl.
When it comes to the consumer, it gets hard to identify if their device has been actually receiving the security update or not. "Probably for marketing reasons, they just set the patch level to nearly an arbitrary date, whatever looks best", Karsten Nohl, Security Research Labs founder, told the publication. He added by saying that a few years back a security industry has made the problem worse for all as it asked all vendors to do a patch every month which is not possible as the Android ecosystem is very complex. The phones all claim to have received at least one security update since October 2017. Yes and no. While it's disgraceful for the companies to misrepresent a security patch level, SRL points out that often chip vendors are to blame: devices sold with MediaTek chips often lack many critical security patches because MediaTek fails to provide the necessary patches to device makers. However, does this excuse manufacturers who say their devices are fully updated when they are not?
As for Google's response to this research, the company acknowledges its importance and has launched an investigation into each device with a noted "patch gap".
Or so you'd think. Out of the 1,200 phones that were tested by the firm, including devices from Google (the primary source for updates to Pixel phones), Samsung, HTC, Motorola, and TCL, the issue impacted even the flagship models from the likes of Samsung and Sony.
The decision to choose one smartphone brand over the other is also influenced by how soon the manufacturer is rolling out regular security and software updates.
One of the interesting revelations from the research is that even major vendors such as Xiaomi and Nokia (which promise swifter updates) had on an average between one and three missing patches, whereas HTC, Motorola, and LG had missed between three and four patches.
But hacking an Android device is harder than it seems, as Android phones come with a broader set of security measures like address space layout randomization and sandboxing.