Story image

Android device vendors dragging the chain on patch updates

16 Apr 18

Despite being one of the most popular mobile operating systems in the world, it seems device vendors are dragging the chain on Android patching.

According to a blog from Security Research Labs, one of the core functions of keeping Android devices secure is regular patch updates – particularly when there are more than two billion devices currently running Android.

The company says that users should start asking their device vendor for monthly updates to cover all relevant patches, and it’s time that users to start verifying vendors’ claims about the security of their devices.

2016 statistics from Duo claim that only 17% of devices were operating on a recent patch level.

Although some device vendors have been providing regular patches, they haven’t been including all of the relevant ones.

While 60% of Android devices were able to receive the monthly security patch in 2016, only 25% were running the latest patch, the research found.

Security Research Labs claims that TCL, Oppo and ZTE vendors have at least four or more missed patches designated as critical or high severity. On the other end of the scale, Google, Samsung Song, ZUK, KeEco, BQ and ZUK each have fewer than one missed patch.

Other vendors including Xiaomi, Nokia, Motorola, Honor, HTC, Asus, LG, Huawei, and Lenovo all missed between 1-4 patches.

However, the research doesn’t mean the statistics are conclusive. The company is quick to point out that not all patch tests are conclusive, not all patches were included in the test, and a missing patch does not necessarily mean a vulnerability could be exploited.

The company expands on the point that missing patches are not enough for an attacker to remotely compromise an Android device. An attack must chain together several bugs to be successful.

“The criminal ecosystem seems to understand the challenges in hacking Android phones. Instead criminals focus on social engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps. In fact, hardly any criminal hacking activity has been observed around Android over the past year,” the blog says.

However, as Android continues to dominate devices, hacking incentives will only get stronger. State-sponsored actors and persistent hackers will rely on zero-day vulnerabilities, as well as known bugs.

Device vendors must continue to fight back and keep devices secure, Security Research Labs says.

:No single defence layer can withstand large hacking incentives for very long, prompting ‘defence in depth’ approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android.”

Lenovo DCG moves Knight into A/NZ general manager role
Knight will now relocate to Sydney where he will be tasked with managing and growing the company’s data centre business across A/NZ.
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Review: Blue Mic’s Satellite headphones are good but...
Blue Mic’s newest wireless headphones deliver on sound, aesthetic, and comfort - but there is a more insidious issue at hand.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
IDC: Smartphone shipments ready to stabilise in 2019
IDC expects year-over-year shipment growth of 2.6% in 2019, while the world's largest market is still forecast to be down 8.8% in 2018.
Microsoft NZ bids Goldie a “fond farewell”
Microsoft New Zealand director of commercial and partner business takes new role across the Tasman. The search for his replacement has begun.