2 min Security

Google: “vulnerabilities persist too long on Android”

Google: “vulnerabilities persist too long on Android”

Google has released its annual report on zero-day vulnerabilities. Google’s Threat Analysis Group (TAG) indicates in the report that a patch is often unavailable to Android users for too long. The research team found 41 zero-days exploited in the wild.

As the developer of Android, Google controls its own patch policy, but many smartphone manufacturers come out with their own version of the operating system. For example, Samsung has OneUI and Nothing uses NothingOS, but countless examples can be thought of. After each Android update, there may be some time between the release of a patch for “vanilla” Android found on Pixel phones, for example, and the Android offshoots. Google does not cite a specific vendor that does not have its patch policy in order.

Behaviour similar to that of a zero-day

The most dangerous vulnerabilities are zero-days or flaws in software that are known before the vendor has a patch for them. However, Google sees that n-days too often go unpatched for more extended periods of time on Android variants. The “n” in n-day represents the number of days the vulnerability has been known to Google. The time lag between discovery and patch creates a danger for end users that hackers can still make their move.

For consumers, it then creates the highly undesirable scenario that users can only avoid being targeted by not using the device until a patch arrives, Google states in the security blog.

The research team hopes there will be several developments to improve the security level of Android. First, it wants to see more comprehensive and timely patching to curb the threat of n-days. In addition, Google says there should be more room among platforms for the general containment of exploitable elements, eliminating whole types of vulnerabilities. Finally, it has expressed a desire for more transparency and collaboration between vendors and security parties to share technical knowledge about cyber threats.

Also read: Google fixes four major vulnerabilities in Android