There is a good chance that your Android phone doesn’t have all of the security patches that it should, as vendors regularly omit some vulnerability fixes, security researchers have discovered.
After looking at the firmware of devices from tens of device makers, Germany-based Security Research Labs researchers discovered that not all relevant patches are included in the monthly updates that Android phones receive.
After the Stagefright vulnerabilities were found to impact nearly one billion devices three years ago, Google started releasing monthly security updates for the Android platform, to improve its overall security stance. Many vendors followed suit, announcing plans to keep up with Google and regularly deliver patches to their users.
However, only 17% of Android devices were found to run the most recent patch level in June 2016, and fixes were arriving slow in October that year. While many vendors have improved their patching frequency and phones started receiving monthly security updates, not all issues are addressed accordingly, the security researchers have discovered.
“Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks,” Security Research Labs says.
The security researchers analyzed the firmware of devices from over twenty vendors, looking for Critical and High severity patches they might be missing. They analyzed some phones multiple times, with different firmware releases and only considered phones patched from October 2017 or later.
The analysis revealed that most vendors forgot to deliver at least one patch to their users, while a handful of them didn’t deliver 4 or more patches. Given that not all patches were included in the tests, the actual number of missing patches could be much higher, the researchers say.
Missing patches don’t necessary imply that the phones are vulnerable, considering the security improvements in modern operating systems, such as ASLR and sandboxing, which typically prevent hacking, the security researchers argue.
This means that a few missing patches don’t usually render a device prone to remote compromise. A hacker would need to chain together multiple bugs for a successful attack, the researchers note, adding that cybercriminals do understand these challenges.
“Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year,” Security Research Labs says.
Those willing to invest into hacking Android devices are state-sponsored and other persistent threats. Operating stealthily and well-funded, these hackers normally leverage zero-day vulnerabilities in attacks, though they may also use known bugs to build exploit chains.
With monthly security updates arriving on many Android devices, it is important that these updates include all relevant patches. Users should start verifying their vendor’s claims about the security of their devices, and can measure their patch levels using free apps.
“As Android is ever increasing in popularity, the hacking incentives will only keep growing, as does the ecosystem’s responsibility for keeping its users secure. No single defense layer can withstand large hacking incentives for very long, prompting “defense in depth” approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android,” Security Research Labs concludes.
Related: Google Patches 9 Critical Android Vulnerabilities in April 2018 Update