Android has a patch gap – don’t panic

patch gap

German-based Security Research Labs (SRL) has found a patch gap in Android. That means cyber attackers can get access to many devices. Don’t panic – it is hard to do.

Before you throw out that Android phone remember that there are more than two billion of them in the wild. About half of these (smartphones, tablets, set-top-boxes, etc.) are running versions 2-4. They are no upgrades because their makers are under no obligation to do so.

Android fragmentation is a prime cause of the patch gap

The rest are running 5.x Lollipop (25.1%) 6.x Marshmallow (28.6%), 7.x Nougat (26.3%), or later and the majority are yet to install the latest security updates.

Android may now be as safe as the other guy if you buy a smartphone with Android 7.x or later from a reputable manufacturer.

SRL presented the results to the HITB Conference (it is not easy reading) after creating an app called SnoopSnitch to check the OS against the CVE database. Over 100,000 phones were owner-tested.

Android updates are very complex leading to patch gap

One place it found patching fell over was the three-four step process to get to user’s phones. Unlike Microsoft, for example, that rolls out OS patches directly Android goes via chipset vendors, manufacturers (any user experience overlays), Telcos and more. Any one of these could fail.

patch gap
This example mentions Samsung – it is intended to cover all brands.

What chip you use effects patch gap

Samsung Exynos was least likely to miss a patch (<.5) followed closely by Qualcomm (1.1), HiSilicon (Huawei 1.9) to a massive 9.7 for Mediatek chips.

Part of the reason for Samsung’s great performance is that it makes the chip and the devices it goes in. Qualcomm is a reference standard, and its microcode is also very secure. HiSilicon is owned by Huawei and sold to a limited number of other smartphone makers, so it has good control.

However low-cost phones use Mediatek. This is precisely the ‘sell and forget mentality’ that makes buying a smartphone powered by this chip a gamble. The majority of devices never receive updates.

What brand you buy affects patch gap

You are much safer buying from one of the top ten. Google (that directly updates – a single step); Samsung; Sony; Nokia; HTC; LG; Motorola; and BBK (OPO, OnePlus, vivo).

TCL (Alcatel) and ZTE are up and coming makers, but they scored ‘more than four’ missing patches based on the fact that Alcatel is largely in the pre-paid market and ZTE do a huge amount of white labelling.

Blackberry, the undisputed safety king, missed 2-4 patches!

patch gapGadgetGuy – The good news is patch gap is getting smaller

SRL found that missing a few patches was not a problem on modern devices. It said to exclusively use Google Play to download apps. Android 7.x and later with sandboxing and protection handled most attacks.

Remote handset exploitation is very complex. Many attacks require the phone to be rooted or physically in the attacker’s possession.

Instead, criminals focus on social engineering. They trick users into installing malicious apps, often from insecure sources. Once installed these apps request excessive permissions to open OS doors. Hardly any criminal hacking activity in the past year has been for Android.