Many manufacturers of Android devices are just faking security updates, researchers have found. That’s why users do not have to grab the iPhone right away, says IT security expert Karsten Nohl.
Interview from Marvin Strathmann
“Your system is up to date” states in the settings of many Android smartphones. But that does not mean that the system is well secured, Security researchers have now found the Berlin company Security Research Labs (SRL) : Many vendors skip important patches for security vulnerabilities, but still claim that all updates have been installed. For the user, the false manufacturer information creates a deceptive security and hackers have easier to penetrate the system.
For their analysis, the researchers compared hundreds of Android versions. SRL CEO Nohl explains in an interview how users can find out the actual patch status of their smartphone and whether Androids Apple’s competition is safer.
SZ: Mr. Nohl, what is your smartphone’s status?
On my Samsung phone, the updates for January are installed. That’s not optimal, but personally I’m happy with it because I do not know of any critical vulnerability that has come to light in the last three months. Of course that works better.
Is Samsung one of the manufacturers that conscientiously install patches, or is the company slashing the updates?
Samsung has improved a lot in the past few months. Like Sony, for example, the company misses an average of one patch per update. Only Google itself invariably installs all Android updates on its Pixel smartphones. With Motorola, Nokia or One Plus there are already one or two patches missing. Especially the cheap manufacturers are worse when it comes to patching. On the smartphones For example, the Chinese companies ZTE and TCL lack an average of four or more patches.
The case of Wiko, who is rather unknown in Germany, was especially extreme. He just changed the update date but did not install any patches. That’s just dizziness. Wiko has now understood and changed his update strategy.
Can users find out what their updates really are, or do they have to trust the sometimes incorrect manufacturer information?
We developed the app “Snoop Snitch” for that, which shows users which patches are installed and which ones are missing. But even if the user notices that a patch is missing, he can not simply reload it. Only the manufacturer can prepare and install patches. So the user has to print Samsung, Motorola or HTC.
That’s how Google imagines the future of Android
Android CEO Hiroshi Lockheimer talks about Google’s Pixel smartphone, the relationship with Apple and explains why it frustrates the slow updates of the manufacturers.
By Marvin Strathmann
Is intention behind the behavior or are they mistakes?
Some manufacturers seem to be under a lot of pressure to push up patch numbers on a monthly basis. If users want the latest updates, sometimes only the date is changed. Thus, with some manufacturers – not all – the quality suffered. So it came to mistakes. Even manufacturers like Samsung seem to have difficulty installing all the patches. But that’s exactly what we want to demand with our research. It’s not good enough to do anything every month. Manufacturers must fully install the updates.
How serious is it for Android users if a manufacturer does not install a patch?
On Windows systems, a single missing patch can mean the end of security. Fortunately, it is different for Android, because the system is designed so that something can go wrong. Each app is isolated from the rest of the operating system. Therefore, attackers need several vulnerabilities to infiltrate the system: at least two, often four.
A single forgotten patch is therefore not critical. But with every uninstalled patch, it’s more likely that an attacker who really wants it can hack a smartphone. However, normal users are not affected by this, Android is safe enough for them, even if some patches are missing. It is more about sensitive targets such as enemies of the state, journalists or whistleblowers.
Where are the dangers for normal users then?
Much more dangerous than missing patches is how users handle technology. If I want to install malicious software on tens of thousands of smartphones, then I can either investigate vulnerabilities and try to find missing patches, or I offer a contaminated pirated copy of a paid Android app on the net and probably only have ten minutes to wait for my virus was installed a thousand times. This happens to alarming extent.
About 20 million Android devices become infected each month as users install viruses. You trust apps from foreign sources and ignore security alerts. The users basically say “I want to be hacked”. This has nothing to do with missing patches.
How can users protect themselves against fake apps?
Android users should be clear: Any installed app is a potential risk. Even if you uninstall the app again, it may be too late. It is also important to give the apps as few rights as possible. Malicious apps require the user’s help twice: once during installation and then again when the app requires rights.
If a malicious app is allowed access to the stored photos, then she could encrypt all photos and ask for a ransom from the user so he can get it back. Users should be very careful with the rights.
Help anti-virus apps for Android devices?
Rather not, because the Android system is so sure that anti-virus programs can not analyze the other apps. They do not penetrate themselves. Besides, does Google damn much: Anything that foreign anti-virus scanners can do, the company already makes itself. In his Play Store, the apps are scanned. Google also warns of known malicious programs that try to circumvent the Play Store and get on devices. But even Google is not perfect because the villain has as many attempts as he wants. If only one out of a hundred problematic apps gets through, the hacker has reached his goal.
Do you advise worried Android users about an Apple iPhone?
Apple has it easier in many cases. The company develops the operating system iOS itself, on a few iPhones running. Everything comes from a single source, while the Android system is influenced by Google, the individual device manufacturers, processor manufacturers and often also mobile service providers. Nevertheless, there is no reason to panic. Android is relatively safe, compared with Windows.
There are many other reasons that speak for or against an Android smartphone or an iPhone. Safety should not come first. In most cases, Android is not hacked either. The Android users hack themselves by installing insecure apps. If you fall for a fraud, you can not take the operating system into account.
Everyone can surf safely
The Security Planner website provides easy-to-follow advice. If you want to protect your online accounts, you only have to answer three questions.
By Hakan Tanriverdi