What you need to know
- Google patched a serious security issue for Pixel devices with the release of the June Pixel Feature Drop last week.
- Though the flaw affects more Android devices, non-Pixel devices will have to wait for Android 15.
- This decision leaves Android devices vulnerable to an actively-exploited flaw for months.
Last week, Google finally addressed a critical security flaw that researchers and security advocates have been raising awareness of since April. The problem? Google included the fix in the June Pixel Feature Drop, and other Android phones aren’t able to receive the update. BleepingComputer first reported the patch, and the team at GrapheneOS — who first reported the vulnerability — confirmed that non-Pixel devices will need to wait for Android 15 to get a fix.
Google patched 50 security vulnerabilities in the Android 14 QPR3 update for Pixels. However, one stands out because it is a zero-day vulnerability. This means that the flaw was actively exploited in the wild before Google became aware of it. Zero-day security vulnerabilities are the most severe, and thus, Google recommends that all Pixel users apply the June update as soon as possible.
It’s fixed on Pixels with the June update (Android 14 QPR3) and will be fixed on other Android devices when they eventually update to Android 15. If they don’t update to Android 15, they probably won’t get the fix, since it has not been backported. Not all patches are backported.June 13, 2024
The company shared this information on the Pixel Update Bulletin, which is where Google provides updates on security problems affecting Pixel devices or Android. “There are indications that CVE-2024-32896 may be under limited, targeted exploitation,” the company explains. According to GrapheneOS, the actively-exploited CVE-2024-32896 refers to the same exploit that was previously reported as CVE-2024-29748. The new identifier represents the Pixel-exclusive fix that was included in the June update.
The issue is an elevation of privilege (EoP) problem with Android firmware that Google referred to as of “high severity” for Pixels.
“It was exploited by forensics companies against users with apps like Wasted and Sentry trying to wipe the device when detecting an attack,” the GrapheneOS team explained. “We addressed it as part of making our duress PIN/password feature and reported it to get Google to fix it across Android, which is now done.”
The developers add that two core problems are making the exploit possible. The first is system memory not being erased when entering fast boot mode, meaning that it’s possible for an exploit to access older system memory. A separate but related issue centers around the Android Open Source Project device admin API needing reboot-to-recovery to erase — though this has been fixed in Android 14 QPR3.
The first problem was previously fixed on Pixels, and the second was fixed in the June Pixel Feature Drop. However, as we’ve mentioned, Pixel phones and tablets are the only ones that receive the fix. That’s because of the way that Android OEMs release software updates and fixes, and it isn’t entirely Google’s fault.
Why other Android phones aren’t getting a fix
Considering that this issue was actively exploited and has a high severity, you’re probably wondering why other Android devices aren’t getting a fix. After all, Google is advising Pixel users to update their devices ASAP to protect themselves. The truth is that Google has done its part, and it’s up to the other OEMs to implement a fix. The company included the patch in Android 14 QPR3, and any device that receives the Android 14 QPR3 update will get it.
Fixes like this one are often added to the Android Open Source Project, or AOSP, which serves as the basis for other versions of Android. An operating system like Samsung’s One UI or OnePlus’ OxygenOS uses AOSP as the groundwork. The issue is that third-party operating systems usually apply AOSP upgrades yearly. So, Samsung will likely use the AOSP version of Android 15 as the basis for One UI 7. However, a future version of Android 15 QPR2 or Android 15 QPR3 wouldn’t impact Samsung Galaxy devices until One UI 8.
In other words, the reason Google Pixel devices are the only ones to get this patch are because they’re the only ones to receive monthly, quarterly, and yearly updates. Theoretically, a company could take the fix included in Android 14 QPR3 and apply it to their phones. However, since other OEMs don’t do quarterly updates, the security patches included in Android 14 QPR3 won’t hit their devices until Android 15.
Some security patches are seeded to older versions of Android through a process called backporting. This doesn’t happen for every patch, though. Google probably should have backported the fix for this security flaw, keeping in mind the severity and its zero-day status. However, it’s not necessarily Google’s responsibility to do so. Additionally, only half of the security issues are related to AOSP. No one can solve the first issue described above except each manufacturer itself.
This is the latest example of how choosing an Android phone from a brand other than Google can put a user at a security risk. Other brands are too slow to respond to critical zero-day flaws with patches, and it’s a real problem. Sometimes, the blame lies with Google and others with the partner OEMs, and it’s often a mix of both. Either way, the users suffer.