Google could obligate Android OEMs to pass on security patches
21 May 2018
Back in April, an eye-opening research by Security Research Labs revealed how Android smartphone manufacturers were deceiving their customers by telling them that they had patched their devices with the latest security updates from Google without patching anything at all.
“Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates. Our large study of Android phones finds that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to the underlying risks,” the firm said.
While Android smartphone makers like Samsung, Sony, LeEco, Google and BQ did not miss more than one patch, the likes of OnePlus, Xiaomi, Nokia, Motorola, and Honor missed between one to two patches, HTC, BlackBerry, Asus, LG, Huawei and Lenovo missed between 2 to 4 patches, and Oppo, ZTE, Alps, and TCL missed 4 or more patches.
“No single defense layer can withstand large hacking incentives for very long, prompting “defense in depth” approaches with multiple security layers. Patching is critically important to uphold the effectiveness of the different security layers already found in Android,” they added.
OEMs could be forced to pass on updates
Google has now hinted that it may make it obligatory for Android device manufacturers to pass on critical security updates to their devices. This would ensure that the number of Android devices featuring the latest security updates provided by Google would rise massively in the future.
“We have a pretty steady track record for years now, every single month delivering… patches to the market. We want to make sure that all Android OEMs are delivering patches regularly to their devices as well, not just Google’s devices,” said David Kleidermacher, head of Android Security at Google at the company’s I/O Developer Conference.
He said that the requirement to pass on security updates to customers in a timely manner would be included in future OEM agreements, thereby ensuring manufacturers will be legally obligated to pass on security updates. It could also stop the spread of harmful and sophisticated malware variants that have the capability to quickly spread within the Android ecosystem and infect millions of devices in a short span of time.
For example, researchers at Quick Heal discovered a malicious Android banking trojan earlier this year which hid behind a fake Flash Player app on third-party app stores and exploited the popularity of the Flash Player to infect millions of Android devices.
Not only did the trojan infect apps run by prominent Indian banks like the State Bank of India, Axis Bank, HDFC Bank, ICICI Bank, IDBI Bank, Union Bank of Commerce, and Bank of Baroda, but also infected banks and cryptocurrency exchanges in other countries like Bitfinex, Bitconium, Freewallet, WUBS Prepaid, Alfa-Direct, GarantiBank, QNB Finansinvest, Commerzbank, PayPal, Bank of America, Wells Fargo Bank, NatWest Bank, Halifax and Santander UK.
Other popular apps like Amazon Shopping, 365Scores, PokerStars Live, eBay, Amazon for Tablets, and Western Union US were also targeted by the said trojan.