Here we go again—Google has suddenly confirmed a serious new zero-day threat for Android devices, likely to be patched immediately for its own Pixel devices while leaving Galaxy users to wait and see when they’ll receive the same. This alarming security disparity between Pixel and Galaxy is becoming ever more real.
“There are indications that CVE-2024-36971 may be under limited, targeted exploitation,” Google warns, confirming that a fix for an Android kernel vulnerability that “could lead to remote code execution with System execution privileges needed” is included in Android’s August security update.
Ironically, Samsung released details of its own August security firmware update at almost exactly the same time as Google’s new warning, with other critical fixes but not this one. Thankfully, Samsung’s update does include the long-awaited fix for June’s so-called Pixel zero-day. As for the latest warning, Google says “source code patches will be released to the Android Open Source Project (AOSP) repository in the next 48 hours.” This likely means September at the earliest for Galaxy, unless Samsung does something out of the ordinary—I have asked them to confirm this.
As usual, Samsung’s update will roll out device by device, region by region, rather than all at once. And while flagships and more recent devices will be updated in the same month the fix is released, others will be on a slower schedule.
Unsurprisingly, there are no details yet available on the new threat. But with Google TAG’s Clement Lecigne thanked in the bulletin disclosing the new vulnerability, we can infer that the threat could well be an APT or state-level exploit.
Given the mess last time around, it will be good to see slicker collaboration between Google and Samsung this time around, with assurance for Galaxy users that a fix is being prioritized and will be available as soon as possible—certainly no later than September. That said, Google’c control of Android, Pixel hardware and Pixel software, makes it much easier to push serious updates than for other OEMs. With all eyes on iPhone as the security standard bearer in the flagship market, and those devices well over $1000 apiece, this is an issue Samsung can’t easily shake.
Last time, the US government included the Pixel zero-day in its Known Exploited Vulnerability catalog. It’s not there yet—but it will be interesting to see if CISA takes the same approach this time and whether that’s Pixel only or Samsung as well. CISA usually applies a 21-day update or cease using advisory, which would be a serious issue for Galaxy users, given normal Android and Samsung update schedules.
Watch this space…