SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Android device vendors dragging the chain on patch updates
Mon, 16th Apr 2018
FYI, this story is more than a year old

Despite being one of the most popular mobile operating systems in the world, it seems device vendors are dragging the chain on Android patching.

According to a blog from Security Research Labs, one of the core functions of keeping Android devices secure is regular patch updates – particularly when there are more than two billion devices currently running Android.

The company says that users should start asking their device vendor for monthly updates to cover all relevant patches, and it's time that users to start verifying vendors' claims about the security of their devices.

2016 statistics from Duo claim that only 17% of devices were operating on a recent patch level.

Although some device vendors have been providing regular patches, they haven't been including all of the relevant ones.

While 60% of Android devices were able to receive the monthly security patch in 2016, only 25% were running the latest patch, the research found.

Security Research Labs claims that TCL, Oppo and ZTE vendors have at least four or more missed patches designated as critical or high severity. On the other end of the scale, Google, Samsung Song, ZUK, KeEco, BQ and ZUK each have fewer than one missed patch.

Other vendors including Xiaomi, Nokia, Motorola, Honor, HTC, Asus, LG, Huawei, and Lenovo all missed between 1-4 patches.

However, the research doesn't mean the statistics are conclusive. The company is quick to point out that not all patch tests are conclusive, not all patches were included in the test, and a missing patch does not necessarily mean a vulnerability could be exploited.

The company expands on the point that missing patches are not enough for an attacker to remotely compromise an Android device. An attack must chain together several bugs to be successful.

“The criminal ecosystem seems to understand the challenges in hacking Android phones. Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year,” the blog says.

However, as Android continues to dominate devices, hacking incentives will only get stronger. State-sponsored actors and persistent hackers will rely on zero-day vulnerabilities, as well as known bugs.

Device vendors must continue to fight back and keep devices secure, Security Research Labs says.

:No single defence layer can withstand large hacking incentives for very long, prompting ‘defence in depth' approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android.