Google’s security team says companies need to get better at patching Android
Manufacturers are too slow and putting users at risk
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Googleis warning thatAndroidsmartphone manufacturers need to get better at patching their devices.
In ablog postpublished by Google’s cybersecurityarm, Project Zero, the researchers explain howAndroid’s biggest strength- the decentralization if its ecosystem - is also its greatest weakness.
As things stand now, it says thepatchingprocess is too slow, too cumbersome, and too divided, leaving consumers at risk of known and relatively easy-to-exploit vulnerabilities.
Decentralization woes
Android, while built by Google, is based on Linux, and it’s essentially an open-source solution, so third-partysmartphonemanufacturers likeSamsung, Oppo,LG, and OnePlus can take ownership of their version of theoperating system.
As a result, when Google releases a patch, it first needs to be analyzed and modified by the manufacturer, before being pushed to the device. This means that Android users may be at risk of being compromised bymalwarefor an extended period.
If that period draws out for too long, and Google releases vulnerability details to the public, that gives cybercriminals a unique opportunity to compromiseendpointswithout needing to look for new zero-days.
In contrast,Appleoffers a closed ecosystem for its devices. The company is in charge of building most of its hardware and software. So, with updates firmly under Apple’s control, whenever the company releases a patch, most endpoints get it fairly quickly.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Google warns millions of Android devices could be at risk of attack due to this flaw>Millions of Android users at risk of attack after widespread security issue uncovered>These are the best Android antivirus programs around
That’s exactly what happened with CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by many Android devices thatTechRadar Proreportedon in November 2022.
As soon as Google concluded its investigation of that zero-day in July 2022, it reported the findings to ARM, who then patched it in August 2022. Thirty days later, Google made its findings public.
However, all of the test devices that used Mali remained vulnerable to the issues, Google found. “CVE-2022-36449 is not mentioned in any downstream security bulletins,” it said at the time, raising the issue of what it calls the “patch gap”.
“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” the blog post reads.
“Minimizing the “patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch."
“Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Should your VPN always be on?
This new malware utilizes a rare programming language to evade traditional detection methods
This new phishing strategy utilizes GitHub comments to distribute malware
