Security Update Gaps Highlight Risks in Android Ecosystem
A recent study has exposed significant security vulnerabilities within the Android ecosystem, exacerbated by device manufacturers—commonly referred to as OEMs—who fail to deliver timely updates. The research conducted by Karsten Nohl and Jakob Lell from Security Research Labs (SRL) casts doubt on the effectiveness of security updates on many Android devices, including those from well-known brands such as Samsung, Xiaomi, and OnePlus.
The investigation examined the firmware of 1,200 smartphones across various manufacturers for compliance with Android security patch releases from the previous year. The findings reveal a worrying trend: many companies are not delivering critical security patches, creating what researchers term a “patch gap.” According to Nohl, this gap leaves significant portions of the Android ecosystem susceptible to attacks. He noted that, “Sometimes these guys just change the date without installing any patches. For marketing reasons, they may set the patch level to an arbitrary date that looks favorable.”
Google publishes monthly security patches to mitigate risks within the Android platform; however, customization by manufacturers often results in delayed and incomplete updates. The SRL analysis identified the following missed patches for different brands: Google, Sony, Samsung, and Wiko Mobile reported only 0-1 missed patches; Xiaomi, OnePlus, and Nokia missed 1-3 patches; HTC, Huawei, LG, and Motorola saw 3-4 missed; and TCL and ZTE experienced more than four. The study focused specifically on updates addressing Critical and High severity vulnerabilities released in 2017.
Despite the shortcomings of various manufacturers, Google, Samsung, Sony, and Wiko Mobile continue to excel in patch application. Conversely, Chinese vendors such as Xiaomi and OnePlus have been criticized for their inadequate response to emerging security threats.
In an effort to address these vulnerabilities, Google has initiated Project Treble, which aims to enhance the Android update process. Launched with Android 8.0 Oreo, Project Treble separates the core hardware code from the operating system code, allowing faster delivery of updates. However, compatibility of this project depends on device manufacturers choosing to implement it. For instance, not all devices running Oreo support Treble, as seen with certain models from OnePlus.
As the security landscape continues to evolve, newer devices will be mandated to support Treble, potentially mitigating some of the existing delays in updates. For existing users, SRL offers the app SnoopSnitch, available for free to assess the patch level of their Android devices and verify the accuracy of vendor claims concerning device security.
In light of the findings, there are broader implications for businesses relying on Android devices. The failure to implement critical security updates can expose organizations to risks that align with various tactics and techniques outlined in the MITRE ATT&CK framework. Potentially applicable tactics include initial access, where threat actors exploit unpatched vulnerabilities to gain entry, as well as persistence strategies that enable them to maintain control after initial infiltration.
For business owners leveraging technology in their operations, staying informed about the security status of devices, including the timely application of updates, is paramount. These gaps in the Android security framework not only jeopardize individual devices but also pose significant risks to organizational data integrity and overall cyber resilience.