New research shows that many Android devices are missing some security patches despite displaying patch levels that should include them. That said, implementing remote code execution attacks that can compromise Android devices without user interaction is very difficult, which is why cybercriminals continue to prefer social engineering over technical exploitation, researchers found.
Researchers from Berlin-based Security Research Labs (SRLabs), a security research outfit and consultancy, have developed an automated method to test if Android phones have the security patches that their firmware claims they have. They’ve already used the technique, which relies on binary analysis, to scan a large number of device firmware images and plan to present their findings Friday at the Hack in the Box security conference in Amsterdam.
In 2015, Google began releasing Android security updates on a monthly-based schedule and also added a date string to Android’s “About phone” screen to indicate the device’s patch level. The company’s security bulletins contain two such patch levels: One that covers fixes in standard OS components typically found in all devices and one that covers vulnerabilities in hardware-specific components such as chipset drivers that only some phones will have.
The SRLabs researchers were interested in understanding the susceptibility of Android devices to stealthy remote attacks that don’t require any user interaction or social engineering. Such attacks are commonly used against desktop operating systems and other types of internet-exposed devices.
The researchers discarded from their test patches for vulnerabilities in the Android kernel. The majority of these can be used for privilege escalation (rooting) but their exploitation requires attackers to have local access on the device in the first place, such as through a malicious app they tricked users to install. The patches for components that didn’t have their source code publicly available also were set aside because building detection signatures for them was not possible.
They were left with about 180 patches released throughout 2017 for critical and high-severity vulnerabilities in userland components that typically can be reached with a remote attack vector. Of these, the researchers were able to build tests for 164 patches.
Their subsequent scans on hundreds of phone firmware images found that, on average, Android devices were missing three patches that they should have had, according to their advertised patch levels.
Some phone makers fared better than others: For example, devices from Google, HTC, Sony, Nokia and Motorola were missing between zero and two patches on average, while devices from ZTE, TCL, Wiko and Oppo were missing four patches or more. Phones from Samsung, LG, OnePlus, Xiaomi and Huawei scored somewhere in the middle, with between two and four missing patches on average.
The chipsets used in devices appeared to influence the patching gaps. For example, devices with MediaTek chipsets had the highest number of missing patches—around seven on average—while those using Qualcomm and HiSilicon chipsets were missing only two patches.
There are probably multiple reasons for these patching oversights. For one, phone manufacturers are often dependent on the source code provided to them by chipset vendors and if those vendors failed to integrate some patches, devices using their chipsets will not get them.
The heavy customizations made to the original Android codebase by some phone manufacturers in developing their firmware also might play a role. This can make applying certain patches difficult, which could delay their implementation.
The findings are conservative and the patching gaps might be even worse because on many devices some tests proved inconclusive, meaning the researchers were not able to determine whether certain patches were present. Those were not counted in the final results.
The study shows that the Android patch level strings are not entirely reliable and should not be trusted blindly. But does this mean Android devices are more hackable? The SRLabs researchers say no.
A missing patch does not make an exploit
While fully remote hacks have been demonstrated on Android in the past, they were either performed by researchers as a proof-of-concept or were used by intelligence and law enforcement agencies in a targeted fashion. None of the highly publicized Android exploits that could theoretically allow for remote code execution, such as Stagefright, have ever been used by cybercriminals in widespread attacks.
That’s because bypassing the various security layers present in the modern versions of Android requires chaining together multiple flaws in different components. Developing such exploits takes a lot of skill and resources and, even if successful, getting them to work reliably on a large number of device models would be a very difficult task due to significant differences in their firmware.
Attacks such as WannaCry—a self-propagating worm that exploited a vulnerability in the Windows SMB service to infect hundreds of thousands of computers—have not happened in the Android ecosystem and chances are that they’ll never happen, said Karsten Nohl, managing director of SRLabs.
Compared to Windows computers that often are compromised through technical vulnerabilities, cybercriminals prefer social engineering as the standard vector of attack on Android, Nohl said.
This often means tricking users into installing malicious applications that abuse the granted permissions to steal sensitive information and might later use a local exploit to escape their sandbox and gain higher privileges.
Nohl believes that being careful about what applications get installed on their devices is the most important thing Android users can do—even more important than having the latest patches installed.
Android has faced a lot of criticism over the years because the ecosystem’s fragmentation—thousands of phone models from different manufacturers using different chipsets—makes patching difficult. However, that fragmentation is a two-sided coin, as it also makes widespread exploitation of technical vulnerabilities impractical.
Of course, in an ideal world, the majority of Android phones would have the latest patches like iOS devices do, because Apple controls the entire hardware and software supply chain. However, the variety of phone models and firmware customizations is simply too great in the Android ecosystem for that to ever come true.
Many vendors use a lot of development resources to port the monthly security patches to phones running older Android versions, but Nohl thinks those resources would be better spent upgrading those devices to the latest version of Android.
The fact that some of the biggest phone makers continue to offer very few devices with Android 8 is a little bit shocking, Nohl said. Android version upgrades are the most important thing users should demand from their device vendors because they make a bigger difference than the monthly security patches, he said.
In addition to incorporating all the previously released patches, major Android versions add better security features that make exploitation more difficult. So, every Android upgrade is a big security boost to user devices.
“I think that as a community we’ve been asking for the wrong thing,” Nohl said. “We’ve been trying to pressure vendors to release monthly security updates, but I would prefer that they release 6 security updates per year instead of 12 and put the saved time into upgrading phones to the latest Android version.”