For those that are unaware, Google releases Android security patches every month. Those get released immediately to the company's Pixel and Nexus devices, and then third-party OEMs can roll them out typically at a later date.
As it turns out though, those OEMs might not be entirely honest about which security updates they're installing on your device, according to a report from Wired. Security Research Labs went through the firmware of 1,200 phones from over a dozen different OEMs, and found that not only were security updates missing, but OEMs would actually claim that the patches were installed, in many cases simply changing the date of the update.
The worst offenders were TCL and ZTE, which had four or more patches unaccounted for. Next was HTC, Huawei, LG, and Motorola, which all had an average of three or four missing. Xiaomi, OnePlus, and Nokia did better, with one to three missing updates. Finally, you wouldn't be surprised to hear that Google is in the zero to one category, but Sony, Samsung, and Wiko are there too.
Chip manufacturers were also accounted for. Devices with Samsung chips had an average of under 0.5 missing patches, while Qualcomm had an average of 1.1. Huawei's HiSilicon came in at 1.9, and MediaTek came in at an astonishing 9.7 missing patches per device.
It's unclear if the manufacturer of the chipsets actually has anything to do with the brands that are being less than truthful when it comes to updates. After all, Samsung chips are really only found in Samsung devices, and HiSilicon comes in Huawei devices. MediaTek chips are often found in lower cost devices, so they don't get updated as often.
As the report also points out, just because your phone might be missing a security update or two, that doesn't mean that it's easily hackable. Still, the idea that some OEMs are saying that these patches are installed on your device when they're not is unsettling.
36 Comments - Add comment