Researchers Karsten Nohl and Jakob Lell from security firm Security Research Labs have uncovered a hidden patch gap in Android devices. The two conducted a two-year analysis of 1,200 Android phones, and just presented their results during the Hack in the Box conference in Amsterdam.
Android’s Hidden Patch Gap Explained
Android has had its difficulties with patching in the past, with only 17% of devices operating on a recent patch level in 2016, the researchers pointed out. Even though things have improved since then with vendors improving their patch frequency, it still turns out that Android is not as fully secured as it should be.
More specifically, the freshly-released large study of Android phones reveals that most Android vendors regularly forget to include some patches, leaving parts of the ecosystem exposed to various threats.
Modern operating systems include several security barriers, for example ASLR and sandboxing, all of which typically need to be breached to remotely hack a phone. Owing to this complexity, a few missing patches are usually not enough for a hacker to remotely compromise an Android device. Instead, multiple bugs need to be chained together for a successful hack.
The problem is that malicious actors are aware of the challenges in hacking Android phones. Thus, the focus is on social engineering tricks where users are lured into installing malicious applications. We have seen plenty of infections stemming from infected apps downloaded from third-party stores and sometimes even from Google Play.
Once installed on a device, the app grants excessive permissions and hackers can do whatever they are seeking to do. In other words, in order to get access to Android phones hackers don’t need to carry out complex hacking activities. They just need to trick the user into installing a bad app. Of course, state-sponsored attackers can operate in a stealthiy manner and often employ zero-day flaws in their attacks.
Be aware of your Android patch level, the researchers’ advice is
Patching is critically important to uphold the effectiveness of the different security layers already found in Android. Now that monthly patches are an accepted baseline for many phones, it’s time to ask for each monthly update to cover all relevant patches.
Users can verify their vendors’ patching claims regarding their devices by measuring the patch level of their Android phones by using a free app called SnoopSnitch. SnoopSnitch is designed to analyze the user’s phone’s firmware, and provides a detailed report with the patch-status of vulnerabilities (CVEs) on a monthly basis.