Timely software updates are already an issue with Android OEMs and to make matters worse, some of them have been found lying to consumers about security patches. Some Android phone makers have apparently been skipping critical security updates and assuring consumers that they are protected against certain threats when in fact their devices remain vulnerable. Some manufacturers have even gone to the lengths of altering the date of security patches received by devices, while no actual patches were installed on them.
SRL’s testing concluded that apart from Google’s own Pixel and Pixel 2 range of smartphones, even premium smartphone manufacturers like Samsung and Sony were found to have missed some security patches and misrepresented the security level of their smartphones. In a few cases, it was found to be a human error where companies like Samsung and Sony missed a couple of patches, whereas those like Xiaomi, OnePlus, and Nokia were found to be missing at least 1-3 patches. Brands like HTC, Huawei, LG and Motorola were second worst and missed at least 3-4 security patches while lesser known TCL and ZTE were found to have missed more than 4 patches.
The research further explains that the onus of missing security patches does not necessarily fall on OEMs, but even chipmakers are to blame. For instance, smartphones sporting MediaTek chipsets are often missing critical security updates because the chipmaker does not provide timely patches to the device manufacturers. In contrast, Samsung, Qualcomm and LG were found to have missed lesser number of patches.
Google has taken the research into account and is investigating the patch-gap issue.