Some Android OEMs are have reportedly been skipping security patches according to a security research firm called Security Research Labs, which mentioned the issue last week on Friday, April 6 at a conference in Amsterdam. The more alarming detail is not that the security patches had been missed, but rather the number of times that the patches weren't applied. According to the firm there have been nearly a dozen patches that were skipped by certain OEMs, which means that some users, and likely a large number of them considering how many Android phones are out there and how many vendors weren't applying the patches as regularly as Google intended, were continuing to use phones that weren't up to date and weren't able to protect their users from current (at the time) security risks that Google was pushing out these patches for.
Even more alarming than the number of missed patches is that Security Research Labs states that some vendors weren't just foregoing the patch updates, but going so far as to actively alter the date and version number of the patch to show as if the security update was applied even when it really wasn't. The issue didn't extend to Google's devices, of course, so those with Pixel and Pixel XL, or Pixel 2 and Pixel 2 XL devices were safe, but the report claims that some OEMs, including Sony, Samsung, and Wiko had missed at least one security patch.
Other OEMs such as TCL and ZTE had missed four or more patches. This can be seen in the image of the table below which lists off what OEMs were missing patches and how many of them were missed. Another table also shows that companies such as MediaTek had missed about 9.7 patches on average, which is quite a lot when you consider that the security updates are being pushed out by Google to its own devices and to vendors on a monthly basis. All that said, Google has reportedly pointed out some details which are worth considering – some of the devices may not have been Android certified devices which means they wouldn't be offering the same standard of security updates as Google and other more trusted OEMs. Google also reportedly points out that some devices may have had updates skipped due to vendors simply removing a feature that had the vulnerability as opposed to sending out an update, which would likely be a quicker process. If that's the case, then the situation is a little bit of a gray area. Nevertheless it still remains that according to SRL, patch updates were still listed as being up to date when they weren't, which might lead some users to wonder going forward if their device has actually been updated with the latest security fixes. SRL says that it had tested the firmware on around 1,200 Android phones, looking for whether or not patches had been applied, which led to it finding devices that had changed the dates forward without actually adding the patches in.