Story image

Android device vendors dragging the chain on patch updates

16 Apr 2018

Despite being one of the most popular mobile operating systems in the world, it seems device vendors are dragging the chain on Android patching.

According to a blog from Security Research Labs, one of the core functions of keeping Android devices secure is regular patch updates – particularly when there are more than two billion devices currently running Android.

The company says that users should start asking their device vendor for monthly updates to cover all relevant patches, and it’s time that users to start verifying vendors’ claims about the security of their devices.

2016 statistics from Duo claim that only 17% of devices were operating on a recent patch level.

Although some device vendors have been providing regular patches, they haven’t been including all of the relevant ones.

While 60% of Android devices were able to receive the monthly security patch in 2016, only 25% were running the latest patch, the research found.

Security Research Labs claims that TCL, Oppo and ZTE vendors have at least four or more missed patches designated as critical or high severity. On the other end of the scale, Google, Samsung Song, ZUK, KeEco, BQ and ZUK each have fewer than one missed patch.

Other vendors including Xiaomi, Nokia, Motorola, Honor, HTC, Asus, LG, Huawei, and Lenovo all missed between 1-4 patches.

However, the research doesn’t mean the statistics are conclusive. The company is quick to point out that not all patch tests are conclusive, not all patches were included in the test, and a missing patch does not necessarily mean a vulnerability could be exploited.

The company expands on the point that missing patches are not enough for an attacker to remotely compromise an Android device. An attack must chain together several bugs to be successful.

“The criminal ecosystem seems to understand the challenges in hacking Android phones. Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year,” the blog says.

However, as Android continues to dominate devices, hacking incentives will only get stronger. State-sponsored actors and persistent hackers will rely on zero-day vulnerabilities, as well as known bugs.

Device vendors must continue to fight back and keep devices secure, Security Research Labs says.

:No single defence layer can withstand large hacking incentives for very long, prompting ‘defence in depth’ approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android.”

Zoom’s new Rooms and Meetings features
Zoom has released information about the upcoming releases for its Rooms and Meeting offerings for 2019.
Aussie company set to democratise direct-to-orbit IoT access
Adelaide-based Myriota has released a developer toolkit that has been trialled and tested by a smart waste management platform.
Apple's AirPods now come with 'Hey Siri' functionality
The new AirPods come with a standard case or a Wireless Charging Case that holds additional charges for more than 24 hours of listening time.
Dynatrace takes pole position in APM Magic Quadrant
It placed highest on Ability to Execute and furthest on Completeness of Vision in the 2019 Quadrant for Application Performance Monitoring (APM).
HCL and Xerox expand strategic partnership
Under the terms of the agreement, HCL will manage portions of Xerox’s shared services, including global administrative and support functions.
Avaya expands integration with Google Cloud AI
This includes embedding Google’s machine learning within conversation services for the contact centre, enabling integration of AI capabilities.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Poly appoints new A/NZ managing director, Andy Hurt
“We’re excited to be bringing together two established pioneers in audio and video technology to be moving forward and one business – Poly."