Story image

Android device vendors dragging the chain on patch updates

16 Apr 2018

Despite being one of the most popular mobile operating systems in the world, it seems device vendors are dragging the chain on Android patching.

According to a blog from Security Research Labs, one of the core functions of keeping Android devices secure is regular patch updates – particularly when there are more than two billion devices currently running Android.

The company says that users should start asking their device vendor for monthly updates to cover all relevant patches, and it’s time that users to start verifying vendors’ claims about the security of their devices.

2016 statistics from Duo claim that only 17% of devices were operating on a recent patch level.

Although some device vendors have been providing regular patches, they haven’t been including all of the relevant ones.

While 60% of Android devices were able to receive the monthly security patch in 2016, only 25% were running the latest patch, the research found.

Security Research Labs claims that TCL, Oppo and ZTE vendors have at least four or more missed patches designated as critical or high severity. On the other end of the scale, Google, Samsung Song, ZUK, KeEco, BQ and ZUK each have fewer than one missed patch.

Other vendors including Xiaomi, Nokia, Motorola, Honor, HTC, Asus, LG, Huawei, and Lenovo all missed between 1-4 patches.

However, the research doesn’t mean the statistics are conclusive. The company is quick to point out that not all patch tests are conclusive, not all patches were included in the test, and a missing patch does not necessarily mean a vulnerability could be exploited.

The company expands on the point that missing patches are not enough for an attacker to remotely compromise an Android device. An attack must chain together several bugs to be successful.

“The criminal ecosystem seems to understand the challenges in hacking Android phones. Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year,” the blog says.

However, as Android continues to dominate devices, hacking incentives will only get stronger. State-sponsored actors and persistent hackers will rely on zero-day vulnerabilities, as well as known bugs.

Device vendors must continue to fight back and keep devices secure, Security Research Labs says.

:No single defence layer can withstand large hacking incentives for very long, prompting ‘defence in depth’ approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android.”

Thycotic debunks top Privileged Access Management myths
Privileged Access encompasses access to computers, networks and network devices, software applications, digital documents and other digital assets.
Veeam reports double-digit Q1 growth
We are now focussed on an aggressive strategy to help businesses transition to cloud with Backup and Cloud Data Management solutions.
Paving the road to self-sovereign identity using blockchain
Internet users are often required to input personal information and highly-valuable data from contact numbers to email addresses to make use of the various platforms and services available online.
Tech Data to distribute Nutanix backup solution in A/NZ
Tech Data will distribute HYCU Data Protection for Nutanix backup and recovery software to their network of partners across Australia and New Zealand.
Veeam releases v3 of its MS Office backup solution
One of Veeam’s most popular solutions, Backup for Office 365, has been upgraded again with greater speed, security and analytics.
Too many 'critical' vulnerabilities to patch? Tenable opts for a different approach
Tenable is hedging all of its security bets on the power of predictive, as the company announced general available of its Predictive Prioritisation solution within Tenable.io.
Safety solutions startup wins ‘radical generosity’ funding
Guardian Angel Security was one of five New Zealand businesses selected by 500 women (SheEO Activators) who contributed $1100 each.
Industrial control component vulnerabilities up 30%
Positive Technologies says exploitation of these vulnerabilities could disturb operations by disrupting command transfer between components.