But while manufacturers may install some of the fixes, changing the security update date to the latest available in the process, they can fail to install all of the patches bundled in any particular month's update.
What matters to you the most while going for a new Android smartphone?
It found that in some cases, Android smartphone makers allegedly told users that smartphone's software has been updated with monthly patches when it hasn't. "It's small for some devices and pretty significant for others", Nohl told Wired. Sometimes these guys just change the date without installing any patches.
To coincide with the release of the report, SRL has launched an app called SnoopPitch, which it says helps Android users find out if their handsets are neglecting security. The phones all claim to have received at least one security update since October 2017.
In response, Security Research Labs has updated its SnoopSnitch app, where Android phone users can get an accurate breakdown of which security updates have and haven't been installed.
The company wrote (via The Verge): "We're working with them [SRL] to improve their detection mechanisms to account for situations where a device uses an alternate security update instead of the Google suggested security update".
In response to Google's statement, SRL's Karsten Nohl said that while it's unlikely that OEMs have gone as far as circumventing a patch to cover a vulnerability, he agrees that it most hackers will find it hard to hack an Android phone because of the OS's base security features like the randomization of file addresses and app sandboxing. Despite devices reporting a given patch date, some of the patches distributed by Google may not be integrated in the updates provided by your manufacturer. The researchers discovered manufacturers of low-end chipsets like Mediatek and Hisilicon missed more updates on average than powerhouses Qualcomm and Samsung.
"Installing patches every month is an important first step, but is still insufficient unless all relevant patches are included in those updates", the researchers said.
Or so you'd think. Vendors whose devices had one to three missing patches include Nokia, Chinese giant Xiomi and fan-favorite OnePlus. The more alarming detail is not that the security patches had been missed, but rather the number of times that the patches weren't applied.