What you need to know
- Google fixed a serious security issue for Pixel devices last week with the release of the June Pixel Feature Drop.
- While the bug affects more Android devices, non-Pixel devices will have to wait for Android 15.
- This decision leaves Android devices vulnerable to an actively exploited vulnerability for months.
Last week, Google finally addressed a critical security flaw that researchers and security advocates have become aware of since April. The problem? Google included the fix in its June Pixel Feature Drop, and other Android phones won’t be able to receive the update. BleepingComputer first reported the patch, and the team at GrapheneOS – which first reported the vulnerability – confirmed that non-Pixel devices will have to wait until Android 15 gets a fix.
Google has patched 50 security issues in the Android 14 QPR3 update for Pixels. However, one stands out because it is a zero-day vulnerability. This means that the flaw was actively exploited in the wild before Google knew about it. Zero-day security issues are the most serious, so Google recommends that all Pixel users apply the June update as soon as possible.
The issue was resolved on Pixels with the June update (Android 14 QPR3) and will also be resolved on other Android devices when they eventually update to Android 15. If they don’t update to Android 15, they probably won’t get the fix, because it has not been replaced. Not all patches are backported.June 13, 2024
The company shared this information in the Pixel Update Bulletin, where Google provides updates on security issues with Pixel devices or Android. “There is evidence that CVE-2024-32896 may be subject to limited and targeted exploitation,” the company explains. According to GrapheneOS, the actively exploited CVE-2024-32896 refers to the same exploit previously reported as CVE-2024-29748. The new identifier represents the Pixel-exclusive fix that was included in the June update.
The problem is an EoP (elevation of privilege) issue with Android firmware that Google called “very serious” for Pixels.
“It was exploited by forensic companies against users with apps like Wasted and Sentry that attempted to wipe the device upon detecting an attack,” the GrapheneOS team explained. “We addressed it as part of creating our duress PIN/password feature and reported it so that Google could fix the issue on Android, which has now been done.”
The developers add that two core issues make the exploit possible. The first is that system memory is not cleared when entering fast boot mode, meaning it is possible for an exploit to access older system memory. A separate but related issue revolves around the Android Open Source Project’s device management API, which requires a restart to recover, although this has been fixed in Android 14 QPR3.
The first issue was previously fixed on Pixels, and the second was fixed in June’s Pixel Feature Drop. However, as we mentioned, Pixel phones and tablets are the only ones receiving the fix. That’s because of the way Android OEMs release software updates and fixes, and it’s not entirely Google’s fault.
Why other Android phones aren’t getting a fix
Since this problem is actively exploited and is very serious, you are probably wondering why other Android devices are not getting a fix. Google advises Pixel users to update their devices as soon as possible to protect themselves. The truth is that Google has done its part and it’s up to the other OEMs to implement a solution. The company has included the patch in Android 14 QPR3 and every device that receives the Android 14 QPR3 update will get it.
Fixes like these are often added to the Android Open Source Project, or AOSP, which serves as the basis for other versions of Android. An operating system such as Samsung’s One UI or OnePlus’ OxygenOS uses AOSP as a basis. The problem is that third-party operating systems typically apply AOSP upgrades annually. So Samsung will likely use the AOSP version of Android 15 as the basis for One UI 7. However, a future version of Android 15 QPR2 or Android 15 QPR3 would only affect Samsung Galaxy devices with One UI 8.
In other words, the reason Google Pixel devices are the only ones getting this patch is because they are the only ones receiving monthly, quarterly, and annual updates. Theoretically, a company could use the fix in Android 14 QPR3 and apply it to their phones. However, since other OEMs don’t do quarterly updates, the security patches in Android 14 QPR3 won’t appear on their devices until Android 15.
Some security patches are added to older versions of Android through a process called backporting. However, this does not happen with every patch. Google probably should have backported the fix for this vulnerability, considering its severity and zero-day status. However, it is not necessarily Google’s responsibility to do this. Furthermore, only half of security issues are related to AOSP. No one can solve the first problem described above, except each manufacturer itself.
This is the latest example of how choosing an Android phone from a brand other than Google can put a user at a security risk. Other brands are too slow to respond to critical zero-day bugs with patches, and it’s a real problem. Sometimes the blame falls on Google and others on the partner OEMs, and often it’s a combination of the two. Either way, the users suffer.