Google has long struggled with how best to get dozens of Android smartphone manufacturers—and hundreds of carriers—to regularly push out security-focused software updates.
But when one German security firm looked under the hood of hundreds of Android phones, it found a troubling new wrinkle:
Not only do many Android phone vendors fail to make patches available to their users, or delay their release for months; they sometimes also tell users their phone's firmware is fully up to date, even while they've secretly skipped patches. On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell of the firm Security Research Labs plan to present the results of two years of reverse-engineering hundreds of Android phones' operating system code, painstakingly checking if each device actually contained the security patches indicated in its settings.
They found what they call a "patch gap": In many cases, certain vendors' phones would tell users that they had all of Android's security patches up to a certain date, while in reality missing as many as a dozen patches from that period—leaving phones vulnerable to a broad collection of known hacking techniques.
"We find that there's a gap between patching claims and the actual patches installed on a device. It’s small for some devices and pretty significant for others," says Nohl, a well-known security researcher and SRL's founder. In the worst cases, Nohl says, Android phone manufacturers intentionally misrepresented when the device had last been patched. "Sometimes these guys just change the date without installing any patches. Probably for marketing reasons, they just set the patch level to almost an arbitrary date, whatever looks best."
The Patch Gap
SRL tested the firmware of 1,200 phones, from more than a dozen phone manufacturers, for every Android patch released in 2017. The devices were made by Google itself as well as major Android phone makers like Samsung, Motorola, and HTC, and lesser-known Chinese-owned companies like ZTE and TCL. Their testing found that other than Google's own flagship phones like the Pixel and Pixel 2, even top-tier phone vendors sometimes claimed to have patches installed that they actually lacked. And the lower-tier collection of manufacturers had a far messier record.
The problem, Nohl points out, is worse than vendors merely neglecting to patch older devices, a common phenomenon. Instead, it's that they tell users they install patches that they in fact don't, creating a false sense of security. "We found several vendors that didn’t install a single patch but changed the patch date forward by several months," Nohl says. "That’s deliberate deception, and it's not very common."
More often, Nohl believes, companies like Sony or Samsung would miss a patch or two by accident. But in other cases, the results were harder to explain: SRL found that one Samsung phone, the 2016 J5, was perfectly honest about telling the user which patches it had installed and which it still lacked, while Samsung's 2016 J3 claimed to have every Android patch issued in 2017 but lacked 12 of them—two considered as "critical" for the phone's security.
Given that kind of hidden inconsistency, "it's almost impossible for the user to know which patches are actually installed," Nohl says. In an effort to solve that missing patch transparency problem, SRL Labs is also releasing an update to its Android app SnoopSnitch that will let users check their phone's code for the actual state of its security updates.
A Patchwork of Patching Practices
After averaging out the results of every phone tested for each vendor, SRL labs produced the chart below, which splits vendors into three categories based how faithfully their patching claims matched reality in 2017, focusing only on phones that received at least one patch in October of 2017 or later. Phones from major Android vendors including Xiaomi and Nokia had on average between one and three missing patches, and even major vendors like HTC, Motorola, and LG missed between three and four of the patches they claimed to have installed. But the lowest-performing companies on the list were the Chinese firms TCL and ZTE, all of whose phones had on average more than four patches that they'd claimed to have installed, but hadn't.
SRL also points to chip suppliers as one possible reason for missing patches: While phones with processors from Samsung had very few silently skipped patches, ones that used chips from the Taiwanese firm MediaTek lacked a whopping 9.7 patches on average. That may in some cases be simply because cheaper phones are more likely to skip patches, and also tend to use cheaper chips. But in other cases, it's because bugs are found in the phone's chips rather than in its operating system, and the phone manufacturer depends on the chipmaker to offer a patch. As a result, cheaper phones that source chips from lower-end suppliers inherit those suppliers' missed patches. "The lesson is that if you go for a cheaper device, you end up in a less well maintained part to this ecosystem," Nohl says.
When experts reached out to Google, the company said that it appreciated SRL's research, but responded by pointing out that some of the devices SRL analyzed may not have been Android certified devices, meaning they're not held to Google's standards of security. They noted that modern Android phones have security features that make them difficult to hack even when they do have unpatched security vulnerabilities. And they argued that in some cases, patches might have been missing from devices because the phone vendors responded by simply removing a vulnerable feature from the phone rather than patch it, or the phone didn't have that feature in the first place. The company says it's working with SRL Labs to further investigate its findings. "Security updates are one of many layers used to protect Android devices and users," added Scott Roberts, Android product security lead. "Built-in platform protections, such as application sandboxing, and security services, such as Google Play Protect, are just as important. These layers of security—combined with the tremendous diversity of the Android ecosystem—contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging."1
In response to Google's assertion that some patches may have been unnecessary due to the vulnerable feature being missing from the phone or removed in response to the vulnerability, Nohl counters that those situations very rare. "It’s definitely not a significant number," he says.
Not the Lowest Hanging Fruit
More surprisingly, Nohl agrees with Google's other major point: Hacking Android phones by exploiting their missing patches is far harder than it sounds. Even Android phones that don't have solid patching records still benefit from Android's broader security measures, like address space layout randomization—which since Android 4.0 (Lollipop) has randomized the location of a program in memory to make it harder for malware to exploit other parts of the phone—and sandboxing, which limits a malicious program's access to the rest of the device.
That means most hacking techniques, known as exploits, that can gain full control of a target Android phone requires taking advantage of a series of vulnerabilities in a phone's software, not just one missed patch. "Even if you miss certain patches, chances are they’re not aligned in a certain way that allows you to exploit them," Nohl says.
As a result, he says, Android phones are far more often hacked with simpler schemes, namely rogue apps that find their way into the Google Play Store or that trick users into installing them from other sources outside of the Play Store. "Criminals will most likely stick with social engineering as long as humans are gullible and install free or pirated software that comes packaged with malware," Nohl says.
Advanced, state-sponsored hackers carrying out more targeted attacks on Android devices, however, may be another story. For the most part, Nohl argues they likely use zero-day vulnerabilities—secret hackable bugs for which no patch exists at all—rather than known but unpatched vulnerabilities. But in many cases they might use known and yet unpatched bugs in phones in combination with zero day vulnerabilities; he refers, as an example, to the spyware FinFisher, which at one point took advantage of a known Android vulnerability called Dirty COW in addition to its own fresh zero-day exploits.
Nohl cites the security principle of "defense in depth"—that security is most effectively implemented in multiple layers. And every missed patch is potentially one less layer of protection. "You should never make it any easier for the attacker by leaving open bugs that in your view don’t constitute a risk by themselves, but may be one of the pieces of someone else's puzzle," Nohl says. "Defense in depth means install all the patches."