Updated on July 3 with news of Google’s latest Pixel update.
Samsung has again beaten Pixel to the punch when it comes to issuing details of this month’s security release. But be warned, this update is actually bad news for your Galaxy device—the alarming issue is what’s missing, not what’s been fixed.
Google has now confirmed that Samsung and other Android devices are vulnerable to the same security risk behind June’s Pixel zero-day warning. While Pixels have been patched, Samsung devices have not. And that is not addressed at all in July’s update. Given that this threat was serious enough to prompt a US government warning, you should be very mindful of the exposure.
Samsung’s update does include four other critical Android security warnings, albeit three of those patch Qualcomm vulnerabilities and were delayed from Android’s June update. Samsung warns users that component updates may come later than software and firmware patches, but again Pixel managed to release these more quickly.
At least the other critical Android update in Samsung’s July release is current and has been issued immediately. Google warns that CVE-2024-31320 impacts Android’s underlying framework and “could lead to local escalation of privilege with no additional execution privileges needed.” Take that in itself as an update now warning.
Beyond the wider Android patches, Samsung includes the usual list of its own fixes, including critical updates to address an input validation risk. Samsung warns this could enable a remote attacker to execute arbitrary code by compromising secure control data on the device. While “user interaction is required for triggering this vulnerability,” meaning be some form of UI message which the user would need to action, this could be cloaked in any number of different ways.
But the much more critical issue is the missing Pixel zero-day fix.
Last month, Google warned Pixel users that CVE-2024-32896 “may be under limited, targeted exploitation,” and the US government then mandated that federal employees update their Pixel devices by July 4 “or discontinue use of the product.”
This Pixel patch was the second part of a fix from April, and GrapheneOS which was behind the disclosure warned that “there are two vulnerabilities being addressed,” GrapheneOS posted. “Neither issue is being fixed outside Pixels yet.”
Google confirmed this, telling me “Android security is aware of this issue, and after further review, this issue does impact Android platform… Pixel devices that have installed the latest security update are protected… we are prioritizing applicable fixes for other Android OEM partners and will roll them out as soon as they are available.”
And while Google assures that “additional exploits would be needed to compromise a device,” it’s exactly this combination of multiple vulnerabilities combined into a chain attack that GrapheneOS has warned about. There is no current fix for any device beyond Pixels, and it could be months before one is made available.
GrapheneOS also warns that another vulnerability—CVE-2024-29745—remains a threat to Samsung and other Android devices, and has also only been patched on Pixels.“CVE-2024-29745 is the more serious issue,” I was told, “ and was fully fixed in April for Pixels, but other devices don’t have the protection yet.” Because this is a firmware issue, it needs to be patched OEM by OEM. And that will take time.
This risk where Pixel has patched and others have not is starting to form a pattern—and that’s not great news if you’ve just dropped $1000-plus on a new flagship and expect it to be fully secured. I approached Samsung for any comments on these vulnerabilities after receiving Google’s confirmation.
In recent months, Google has trailed behind Samsung when it comes to its own Pixel update bulletins. But not this month—at least not by much. Pixel users now have details of their own July release. Unlike Samsung’s July fixes, this month’s Pixel-specific updates are fairly light touch. But there are also the wider Android updates, and these are more extensive and include critical software and hardware updates that Google says are all wrapped up within the Pixel update.
And that in itself is an issue for Samsung users—because they are not getting the same timely fixes. Putting aside the Pixel zero-day that’s still a live vulnerability on Samsung devices and will be until it’s patched, to say nothing of CVE-2024-29745, Pixel is subtly becoming ever more iPhone-like in its wrap-up of hardware and software into a seemingly integrated offering. While Pixel is still dependent on carriers to push software, it does present a more cohesive offering.
Samsung is in something of a bind. Google is now getting into its stride with Pixel, it’s no longer a punt. The fast-tracked addition of its own AI onto Pixel devices, which are clearly optimized for that software, promises a much keener contest in years to come. And while both Pixel and (especially) Galaxy have iPhone in their sights, Pixel’s more immediate target is Samsung and the hundreds of millions of devices it is already selling to users committed to the Android ecosystem controlled by Google.
Even on the AI security and privacy front, where earlier in the year it had seemed that Google would be very much cloud-based giving Samsung’s hybrid AI offering some market space, that has now changed. The market is becoming more focused on the privacy benefits of device-only AI, and Google is responding to that. its control of Android’s core AI offerings and Pixel hardware is a clear advantage.
None of this will seem acute as yet—Samsung flagships are flying from the shelves. But this is a fickle market and AI will be a generational change that will make this more so. There will be a raft of users switching brands and even platforms.
Pixel is more a software play than a hardware play, and in that regard differs from Samsung and Apple. But AI has changed the equation for users. And when it comes to security, the integrated hardware/software ecosystem thatr Google controls gives it an ability to match Apple’s approach in a way Samsung has clearly shown it cannot.
Samsung continues to maintain its lock on the premium Android market, but Google is focused on catching up and has a real advantage. That has really come to the fore in recent months. Samsung users have seen delays on component updates—specifically Qualcomm’s. And this contrasts with Pixel’s more immediate release of those fixes. This new warning—a late to the party admission that Pixel’s zero-day isn’t only a Pixel issue after all—is a major blunder and needs to be addressed—fast.
Android 15 is not too far away, and while the release will add a raft of new security updates and enhanced user protection, it will also hopefully clean up some of these outstanding issues. But it’s a long time to wait. Meanwhile, Samsung users should update as soon as this month’s update is available for your model, region and carrier.