It has been a busy week in Pixel-land, with the launch of the Pixel 9 Pro in all its various guises, and the furore over possible security issues with an app pre-installed by Google on tens of millions of phones. And so if you have a Pixel phone, you can be forgiven for forgetting the critical update clock now ticking away in the background.
But you shouldn’t—you have just 9 days left to update your phone.
Google has promised a software update to remove the Showcase app from all its Pixel devices, following the iVerify warning last week. There remains a robust debate as to whether this is a serious issue at all—but regardless, that update must not be confused with the critical August security update now rolling out to Pixels worldwide.
It was back on August 7, that Google warned Pixel users that a security threat “may be under limited, targeted exploitation,” confirming that a fix was included in its August security update. The Android kernel issue, Google said, “could lead to remote code execution with system execution privileges needed,” and it seemed that Google’s own Threat Analysis Group (TAG) had discovered the threat and active exploitation.
TAG’s involvement suggests sophisticated APT or even nation-state level actors, with initial attacks being very specifically targeted. But as I commented at the time, these specialist exploits have a nasty habit of leaking into the wider market.
The threat level was underlined by the U.S. government issuing a mandate for all federal employees to update before August 28 or stop using their Android phones. They did the same back in June, with the Pixel zero-day warning before this one, and so users should be used to the drill. And while CISA’s formal mandate only applies to federal staff, in reality all enterprise and personal users should follow suit. That’s the intent behind CISA’s warnings—to protect the wider ecosystem from cyber attacks.
That same mandate applies across the Android ecosystem. The new news now is that we know that Samsung users with older devices that are not on a monthly update schedule likely won’t meet CISA’s deadline. That materially changes the criticality of this update mandate, given the implications. Google has also said the August update will vary by region and carrier, but it doesn’t have as complex an install base to manage, with a complex rota of monthly, quarterly and biannual security updates.
Anyone with a Pixel 6 or better should be fine, anyone with a Pixel 5 or less is unlikely to get the update, as coverage has ended, with the exception of the Pixel 5a 5G, which conveniently is covered until this month. You can check the specific update schedule by model number here. And you can see instructions on how to check whether your phone has updated here. Regardless of this issue, if your phone has fallen off the update rota then get a new phone—it really is as simple as that.
Despite the news flow, you can ignore the pre-installed app issue—it is not going to cause your device any issues, with exploitation unproven and complex. The August 7 warning, though, is very real and you need to ensure your phone is protected.
The clock is ticking—August 28 is now little more than a week away.