If you have a Google Pixel smartphone you’re probably used to getting monthly security updates. If you have an Android phone from any other device maker… it’s complicated. While some phone makers have committed to delivering monthly security updates shortly after Google makes them available, many others do not.
But it turns out that if you’ve got anything other than a Pixel, there’s a chance your phone might not even have all the updates it says it does.
Wired reports that a group of researchers at Security Research Labs have discovered that many Android phones claim to have a security patch level that doesn’t accurately show the patches that have actually been installed on those phones.
The researchers plan to present their findings at the Hack in the Box security conference tomorrow, but Wired highlights the key findings.
In a nutshell, you can go into your phone’s settings to see the latest date a patch was installed. Some phone makers failed to deliver all the updates you’d expect based on that date. And a few may have gone so far as to use an arbitrary date that implies your phone is more up to date than it is without delivering any security patches at all.
It’s bad enough that some phone makers don’t deliver monthly security updates (and some don’t even deliver updates regularly… or at all). But this finding paints an even grimmer picture: phone makers may be intentionally misleading users and providing a false sense of security.
Google’s phones were the only ones tested by the researchers that had never missed an update.
The researchers say phones from some companies including Sony and Samsung were only missing a single update that you’d have expected to be installed based on the stated patch level.
But Xiaomi, OnePlus, and Nokia missed up to 3 patches. HTC, Huawei, LG, and Motorola missed up to 4. And TCL and ZTE had phones that were missing more than 4 of the patches they claimed to have installed.
It’s also noteworthy that the phones that were most likely to have a high number of missed security patches were those with MediaTek processors. It’s unclear if that’s because MediaTek failed to make patches available to vendors or if phone makers failed to release available patches to users. One possible explanation is that most phones with MediaTek processors are low-cost devices that don’t get much support at all.
If you want to check to see whether your phone is missing any of the security updates it’s supposed to have, you can try running the latest version of SnoopSnitch, an app from Security Research Labs that lets you run an “Android patch level analysis.” When I ran it on my Google Pixel 2, the results were inconclusive, but that might be because I just installed a monthly update yesterday.
If there’s any good news here, it’s that even phones that haven’t received all the latest security updates are relatively difficult to hack using the types of vulnerabilities usually patched by monthly security updates. Wired reports that it’s far more likely that someone looking to hack your device will use phishing techniques by trying to get you to install an app downloaded from a source other than the Google Play Store in order to harvest your data or put you on a botnet.