Tech
Millions Of Samsung Users May Wait ‘2-3 Months’ For Critical New Update
The Android update process is in something of a mess. Unlike Apple, which controls its hardware and software and can update everyone, everywhere at the same time, the Android alternative is a patchwork quilt of brands, models, markets and carriers. And while that has become the begrudged norm, sometimes it is even more confusing.
So it is with the recent Pixel zero-day. Unlike Samsung’s low-key June security update, Google confirmed that its Pixel update included a fix for a high-severity vulnerability that had been exploited. The US Government’s cyber agency then added this to its Known Exploited Vulnerability catalog, giving federal employees until July 4 to install the update or shutter their Pixels. Sound advice for all Pixel users.
Google didn’t elaborate on CVE-2024-32896, but the team at GrapheneOS posted that this latest Pixel update addressed the incomplete fix Google issued in April following its vulnerability disclosure—CVE-2024-29748.
And this is where it gets complicated—because that complete fix has been released for Pixels only. Owners of Samsung flagships take note.
The first vulnerability, GrapheneOS explained, “is about bypassing the device admin API wipe command by interrupting it before it can wipe, which can be used to bypass apps which implement local wiping on certain triggers or other device admin apps.”
The second issue, “which [Google] fully fixed in April,” GrapheneOS told me, “is a ‘reset attack’ vulnerability which involves rebooting into fastboot mode (often called the bootloader interface) which is a firmware-provided mode for development purposes and then exploiting that.”
You can bypass these details unless you’re exceptionally technically minded. What you need to know, though, is that “the combination of these two vulnerabilities was used with an unknown third and fourth vulnerability by a forensic company to exploit Pixels to get data off them, which they can also do with other Android devices.”
And that’s the catch. This is not a Pixel issue. “There are two vulnerabilities being addressed,” GrapheneOS posted. “Neither issue is being fixed outside Pixels yet.”
So, let’s be clear. Google has acknowledged and patched a Pixel vulnerability for which there’s a zero-day exploit. The team behind the original reporting of the vulnerability say this extends beyond Pixels. But whilst the Pixel issue is deemed serious enough to make CISA’s KEV catalog, other OEMs don’t currently have a fix.
How’s your $1000 Android flagship feeling now?
Those concerns have now been confirmed. GrapheneOS “questioned why this was only listed in the Pixel Update Bulletin,” and the Android team agreed. “After review,” GrapheneOS was told, “we agree with your assessment that this is an Android issue and as such we are working on backports to include this in a future Android Security Bulletin.” So Samsung devices are at risk, and there’s no word on timing for a fix.
GrapheneOS told me “that [fix] should get shipped in 2-3 months as part of Android Security Bulletin, backported to Android 12, 13 and 14.” I asked whether a user could lock down the vulnerability in the interim and was told “no.”
There’s another threat lurking in the mix here as well. “CVE-2024-29745 is the more serious issue and was fully fixed in April for Pixels,” GrapheneOS told me, “but other devices don’t have the protection yet.” This is a firmware issue and needs to be fixed OEM by OEM. “It makes sense that CVE-2024-29745 was only fixed for Pixels by Google, they can’t fix it for anyone else. Other vendors could add the same zeroing to each of their firmware boot modes and should, but we can’t easily get them to do it.”
I have reached out to Samsung and Google for clarification on when Samsung users can expect these Pixel updates. I’ll update this article when I receive anything back.
In the meantime, there’s not much Samsung or other OEM owners can do. Putting aside the specifics, the bigger concern is the convoluted Android process to identify and acknowledge an issue, to prepare a fix, and then to deploy it widely and rapidly. Google is expending great efforts to shore up device security with Android 15. But thus far no word on how this security update complexity might change, if at all.
“It’s a mess, basically,” GrapheneOS says.