There was a nasty sting in the tail with this month’s updates for Samsung and Pixel users, with the news that a serious Android security threat had been discovered. Google confirmed on Tuesday that attacks are likely underway, and—also on Tuesday—Samsung and Google quickly rushed out patches as part of their monthly updates.
It seems the vulnerability and exploit were discovered by Google’s TAG high-end threat hunters, which means this is a sophisticated attack. While currently the risk is just “limited, targeted exploitation,” an exploit once in the wild quickly expands.
Little surprise then that the US government has just warned federal employees to either update their Android devices by August 28 or cease using them until they can. The DHS cybersecurity agency did the same back in June, when the last Pixel zero-day was discovered and disclosed. It took just 24-hours this time around for CISA to add the new Android threat to its Known Exploited Vulnerability (KEV) catalog.
CISA’s update or “discontinue use of the product” orders are mandatory for US federal employees—and given this is Android, that will hit a vast number of users. But other commercial and public sector organizations are well advised to follow CISA’s instructions to maintain their own security and do the same—many already do. Even personal users should ensure this update is applied on time, especially if you access employer systems with your personal device. This is a well-trodden attack path.
CISA’s warning echoes Google’s own, that the vulnerability and exploit “allows for remote code execution.” Again, the inference here is that a high-end APT or even nation-state exploit has been discovered. But that is how many such threats get out into the wider market, and there’s every chance the aperture will widen, especially in this time of maximum risk, between the patch’s release and it being widely applied.
While the vulnerability and exploit itself are serious, the issue with such threats is that they can be used in tandem with other vulnerabilities (known or unknown) as part of a chain attack. That’s what we saw with June’s similar warning.
Google included CVE-2024-36971 in Android’s general August security update, which is included wholesale in Pixel’s monthly update. Samsung added the fix to its own August update. Ironically, Samsung already had the June zero-day pencilled in for this month and it was anlso included. The two exploited vulnerabilities were listed side-by-side in Samsung’s advisory (above)—all very neat and tidy.
The prior zero-day was initially tagged for Pixel only, before Google and then Samsung confirmed that it hit their devices as well. As such, Samsung wasn’t covered by the last CISA update warning which targeted just Pixel phones.
The issue for Samsung now is the usual slow monthly rollout of security updates by device, region and carrier, and that some older and cheaper devices are not on a monthly release. Pixel has some of the same concerns, albeit not to the same extent.
Quite how Google, Samsung and other OEMs will deal with the mix and match between their usual update schedules and CISA’s mandate remains to be seen. The absence of a fix in time would certainly seem to trigger CISA’s “discontinue use of the products if mitigations are unavailable” clause. Watch this space.
In the meantime, those of you who do receive the update in time should ensure you install it as soon as you can; that August 28 deadline is just 21-days away.