"Instead criminals focus on social [ly] engineering users into installing malicious apps, often from insecure sources, and then granting excessive permissions to these apps", the researchers said.
The report on Wired points out that this "patch gap" is a serious problem where in some cases vendors indicated to users that the phone had all of Android's security patches, when it was missing more than a dozen in reality. Bringing up the rear are ZTE and TCL, whose phones on average have missed more than four Android security patches. In the end, Android OEM's feel it's okay to deceive and insult their customers by pretending to update their dumb-phones with security patches when in fact they are not.
"We found several vendors that didn't install a single patch but changed the patch date forward by several months", Nohl said. In order to shove sand over their mistakes, they simply mention that the devices are running on the latest updates, i.e. they lie about rolling out the patches in the first place.
Security Research Labs stressed that exploiting Android handsets is still hard, but as hackers become incentivised to target smartphones, ensuring devices are kept current with patches is important.
Should I upgrade my 3-year-old phone to Samsung Galaxy S9?
It will be supporting dual SIM dual standby and might offer same connectivity options as on the flagship Galaxy S9 smartphones . It might still be a few months away from a formal launch, though Galaxy Note 9 rumors have already started hitting headlines.
Search results are also cached on the device, enabling Internet users to quickly re-access previous searches, even when offline, without incurring further data costs.
"Modern operating systems include several security barriers ... all of which typically need to be breached to remotely hack a phone".
Remarkably, top manufacturers like HTC, Sony, Samsung and Motorola were occasionally missing the patches. "Now that monthly patches are an accepted baseline for many phones, it's time to ask for each monthly update to cover all relevant patches". "That's deliberate deception, and it's not very common".
In response, Security Research Labs has updated its SnoopSnitch app, where Android phone users can get an accurate breakdown of which security updates have and haven't been installed. The company tried to do some damage control by listing its mechanisms like Google Play Protect which are being developed to ensure an extra security layer. "These layers of security-combined with the tremendous diversity of the Android ecosystem-contribute to the researchers' conclusions that remote exploitation of Android devices remains challenging".