Android manufacturers are full of lies! You may have received a fake security patch

The fragmentation of the Android system has always been a painful issue for Google. Not only has system upgrade become a long-standing problem, but how to push security patches has also been a headache for Google, after all, the combination of dozens of manufacturers, hundreds of operators, and thousands of devices is not a small number.

If you are an Android enthusiast, you will definitely understand a cruel reality, that is, many small manufacturers do not push security patches in a timely manner.

However, this is not the scariest thing, because a German security company conducted a study on hundreds of Android phones and found that some Android manufacturers not only delayed pushing security patches, but also simply lied to users and pretended that they had pushed security patches.

When it comes to security patches, has cheating become an unspoken rule in the industry?

On Friday at the Hack in the Box security conference in Amsterdam, researchers Karsten Nohl and Jakob Lell from Security Research Labs (SRL) plan to announce a surprising result.

According to Leifeng.com, the two researchers reverse-engineered the operating system code of a large number of Android phones in the past two years in order to verify whether these devices had been patched as promised by the manufacturers. The two researchers actually discovered a huge "patch gap".

For example, many manufacturers told users that they had completed security updates for the Android system on time, but in fact they were just lip service to comfort users and had done nothing.

In other words, users are just taking placebos, and once they are targeted by hackers, they will still be either killed or injured.

"We've found that vendors are great at talking big, but disappear when it comes time to apply security patches," Nohl said. "Sometimes these guys don't even bother to change the patch description, they just change the date and call it a day. Maybe it's for marketing purposes? Anyway, they just set an update date to make it look good."

The “Patch Gap”

SRL tested the firmware of 1,200 mobile phones from dozens of mobile phone manufacturers, including Google's own, Samsung, Motorola, HTC and other well-known giants, as well as ZTE and TCL from China.

The test results show that except for Google's own flagship Pixel and Pixel 2, which have updated security patches step by step, other manufacturers have learned to be sneaky, and the security updates of smaller niche manufacturers are even more of a mess.

Nohl pointed out that in the past people might have thought that manufacturers would abandon their old products, but in fact they even ignored new products, and their lies were more and more slick than each other. Users did not enjoy the service, but only got a paper security shield.

"During our research we did find vendors that had not released a single security update, but the level of date changes they made was not low, which could be considered deliberate deception."

If some small manufacturers have gone crazy, then the international big manufacturers still have a conscience, such as Samsung or Sony, which will only occasionally miss one or two small patches. However, Nohl also found some strange inconsistencies.

For example, the Samsung J5 in 2016 will tell users in detail which patches have been updated and which ones have not been updated, while the Samsung J3 of the same year is fully patched, but in fact Samsung missed out on 12 patch packages.

It is incredible that the same manufacturer can do so many things, and it is impossible for ordinary users to distinguish them. Fortunately, SRL has done its job this time. You can check whether you have been fooled by the manufacturer on their Android app Snoop Snitch.

Cheap models are the hardest hit

After completing all the tests, SRL specially created a chart (below), which divided the manufacturers into three categories, based on their honesty index of patching vulnerabilities in 2017 (receiving at least one security push in October and later).

The best performers are Google, Sony, Samsung and WIKO, Xiaomi, OnePlus and Nokia are in the second tier, and the worst performers are ZTE and TCL, which all claimed to have completed more than 4 security updates, but in fact they were lies.

Don't rush to cross third- and fourth-tier brands off your wish list just yet, because SRL points out that the chip suppliers may also be to blame for missing patches.

They found that mobile phones equipped with MediaTek chips would miss an average of 9.7 patches (as shown below), while products using Samsung chips were the safest. Qualcomm and HiSilicon, which ranked second and third, were also much safer than MediaTek.

In fact, we can also draw a conclusion from this perspective, that is, low-end mobile phones are indeed not safe enough, and if you don’t spend your money properly, you will fall into a dilapidated and deceptive ecosystem.

"Wired" contacted Google specifically about this research result. The search giant first expressed praise for SRL's work, but then changed the subject and said that some of the models they studied were not actually Android certified, which means that they could not meet Google's security standards at all.

At the same time, Google also pointed out that the security features of modern Android phones are strong enough. They have built many layers of protection for users, and it is difficult for hackers to break through even without patches.

In addition, Google believes that some manufacturers directly replace security updates with the removal of vulnerable functions, and don't forget that some low-end machines may not have functions that need to be patched.

Nohl also responded to Google's comments, saying that the excuses Google made for the manufacturers were too far-fetched and the probability of such a situation happening was too low.

It's not easy to hack Android

However, Nohl did not pursue Google relentlessly. On the contrary, he believed that it was not easy to hack into the Android system by using the missed patches. Even if users buy models that are released by manufacturers, they can still be protected by the Android platform.

For example, after Android 4.0, Google introduced a random positioning layout solution, where the location of applications in memory is random, allowing malware to perfectly invade mobile phones. In addition, don't forget that Android also has a powerful sandbox mechanism, so even if it is invaded, the virus will be trapped and cannot spread.

This means that unless a mobile phone has countless vulnerabilities, it is difficult for hackers to gain complete control of the phone.

Nohl said that it is difficult to attack Android directly, so cyber criminals use indirect methods. They study human psychology thoroughly and can easily implant malware on victims' phones by using free or pirated software that can take advantage of small gains.

At the same time, Nohl also reminded everyone that hacker groups with backgrounds do not play tricks. Most of them will directly use zero-day vulnerabilities (secret vulnerabilities that can be broken and have no patch protection) to launch attacks. Of course, sometimes they will also use mixed attack plans, using zero-day vulnerabilities and ordinary vulnerabilities together.

When it comes to defending against hackers, Nohl believes that the "defense in depth" theory of warfare is the most effective. Although the Android system is not easy to hack, every time you miss a patch, you may lose a layer of defense. It is better not to dig a hole for yourself.

Google: The "nanny" who uses both kindness and force

Google has been working so hard on security patches that it is almost like feeding the food into the mouths of mobile phone manufacturers.

However, due to the complex market environment, interest relations and their own capabilities, mobile phone manufacturers have mixed emotions about the security patches proactively provided by Google. Some don't care, some are very positive, and some even simply choose to forget.

A report released by German security company GDATA on May 5, 2017 showed that 750,000 new Android viruses appeared in the first quarter of 2017, and the momentum has slowed down slightly, but it is expected to exceed 3.5 million for the whole year, setting a new record.

DATA pointed out that Google is paying more and more attention to the security of the Android system and pushes security patches every month, but the biggest problem is that manufacturers are following up too slowly.

That is why Google has adopted a combination of kindness and force to push OEMs to update Android security patches in a timely manner and began to publicize the update status of security patches. In Google's plan, in 2017, it will work with operators to urge and pressure OEMs.

But obviously, third-party mobile phone manufacturers who are not playing ostrich have begun to engage in covert activities.

Under the question "Why do many Android manufacturers not pay attention to security patch updates?" on Zhihu, I saw the answers of several anonymous users:

• In fact, Lenovo, Dell, and HP will not help you with system security updates;
• Because security updates are not made by these companies, they are not responsible for whether there are problems with these security updates. They can either invest manpower and material resources to test and verify them, or skip them. ;
• You can see that each Android manufacturer is quite active in pushing their own UI updates. After all, they make and test them themselves, so they have a good idea of ​​what is going on.
• In the final analysis, if the manufacturer pushes updates to you, any problems are the responsibility of the manufacturer. At this time, Google is actually a third-party manufacturer, and the updates they provide are certainly not the first consideration;
• When a forum posts an Android version update, a large group of people will go wild;
• When a UI version update is posted on the forum, a bunch of people will go crazy;
• When a security patch update is posted on the forum, some people will increase their points;

In fact, many people don’t know what security patches are for, so of course they don’t care.

Windows charges a licensing fee, but manufacturers don't have to pay to use Android. However, the upstream code has security patches, and manufacturers are fully capable of testing and releasing updates. They are just irresponsible.

At the end of 2016, Android security director Adrian Ludwig publicly stated at the O'Reilly Security Conference that in terms of security, Android phones and iPhones are "almost identical."

But now it seems that this statement is conditional.