>
Google warns that Android smartphone makers need to get better at patching their devices.
In a blog post (opens in new tab) published by Project Zero, Google’s cybersecurity arm, the researchers explain how Android’s greatest strength – the decentralization of its ecosystem – is also its greatest weakness.
As things stand, the patching process is too slow, cumbersome and distributed, putting consumers at risk of known and relatively easy to exploit vulnerabilities.
Decentralization woes
While Android is built by Google, it’s based on Linux and is essentially an open-source solution so that third-party smartphone manufacturers like Samsung, Oppo, LG, and OnePlus can take ownership of their version of the operating system.
As a result, when Google releases a patch, it must first be analyzed and modified by the manufacturer before being pushed to the device. This means that Android users are at risk of being compromised by malware for an extended period of time.
If that period goes on too long and Google releases details of the vulnerability to the public, it gives cybercriminals a unique opportunity to compromise endpoints without having to search for new zero-days.
Apple, on the other hand, offers a closed ecosystem for its devices. The company is responsible for building most of the hardware and software. So, with updates firmly under Apple’s control, most endpoints get them fairly quickly when the company releases a patch.
That’s exactly what happened with CVE-2021-39793, a vulnerability in the ARM Mali GPU driver used by many Android devices. Tech Radar Pro reported in November 2022.
Once Google completed its investigation into that zero-day in July 2022, it reported the findings to ARM, which then reinstated it in August 2022. Thirty days later, Google made its findings public.
However, all test devices using Mali remained vulnerable to the issues, Google found. “CVE-2022-36449 is not mentioned in any downstream security bulletins,” it said at the time, raising the issue of what it calls the “patch gap.”
“Just as users are advised to patch as soon as possible when a security update release is available, the same goes for vendors and companies,” the blog post reads.
“Minimizing the “patch gap” as a vendor in these scenarios is arguably more important, as end users (or other vendors downstream) block this action before they can receive the security benefits of the patch.”
“Companies must remain vigilant, closely monitor upstream sources, and do their best to deliver full patches to users as quickly as possible.”