Google's security team says companies need to get better at patching Android

Android VPN
(Image credit: Shutterstock / ALberto Garcia Guillen)

Google is warning that Android smartphone manufacturers need to get better at patching their devices.

In a blog post published by Google’s cybersecurity arm, Project Zero, the researchers explain how Android’s biggest strength - the decentralization if its ecosystem - is also its greatest weakness. 

As things stand now, it says the patching process is too slow, too cumbersome, and too divided, leaving consumers at risk of known and relatively easy-to-exploit vulnerabilities.

Decentralization woes

Android, while built by Google, is based on Linux, and it’s essentially an open-source solution, so third-party smartphone manufacturers like Samsung, Oppo, LG, and OnePlus can take ownership of their version of the operating system

As a result, when Google releases a patch, it first needs to be analyzed and modified by the manufacturer, before being pushed to the device. This means that Android users may be at risk of being compromised by malware for an extended period.

If that period draws out for too long, and Google releases vulnerability details to the public, that gives cybercriminals a unique opportunity to compromise endpoints without needing to look for new zero-days.

In contrast, Apple offers a closed ecosystem for its devices. The company is in charge of building most of its hardware and software. So, with updates firmly under Apple’s control, whenever the company releases a patch, most endpoints get it fairly quickly.

That’s exactly what happened with CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by many Android devices that TechRadar Pro reported on in November 2022.

As soon as Google concluded its investigation of that zero-day in July 2022, it reported the findings to ARM, who then patched it in August 2022. Thirty days later, Google made its findings public. 

However, all of the test devices that used Mali remained vulnerable to the issues, Google found. “CVE-2022-36449 is not mentioned in any downstream security bulletins,” it said at the time, raising the issue of what it calls the "patch gap".

“Just as users are recommended to patch as quickly as they can once a release containing security updates is available, so the same applies to vendors and companies,” the blog post reads. 

“Minimizing the "patch gap" as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) are blocking on this action before they can receive the security benefits of the patch."

"Companies need to remain vigilant, follow upstream sources closely, and do their best to provide complete patches to users as soon as possible.”

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.