Google confirms Android attacks; no fix for most Samsung users

Posted by mohi-kalantari 1 day ago

Counter206Comment161OpenOriginal

Comments

Comment by ptx 1 day ago

Never mind the December security patches, Samsung haven't even released the November patches yet, the ones for the critical severity RCE. Unless you have a "major flagship model" [1], because apparently only the richest users deserve to be secure.

[1] https://security.samsungmobile.com/securityUpdate.smsb

Comment by riedel 1 day ago

Why would you want security, if you get 'play integrity' for phones that received no updates since 2 years. Google's current security practices are more than dubious IMHO. Now they are not releasing any source for security patches for 3 month, to 'protect' vendors that are too slow updating. As if there is no chance for bad actors to reverse engineer those patch sets.

Comment by homebrewer 1 day ago

I have the strongest level of "Play Integrity" on a Xiaomi phone that hasn't received any updates since the beginning of 2020. Google Pay and co work fine. It makes sense when you remember that PI is not about security at all, that's just an excuse.

Comment by chii 1 day ago

The "integrity" refers to googles bottomline!

Comment by ycombinatrix 1 day ago

Play Integrity is just spyware - it does not provide any degree of security.

Comment by riedel 1 day ago

Sorry for my irony. While I do not think it is spyware on itself, it sure is a way to force vendors to bundle spyware.

Comment by yaro330 1 day ago

Elaborate please. PI on its own is just an insurance API for banking and similar apps to ensure that they can do secure compute on the device. It can also be used to check if the device that the app is running on is a genuine Android device, since no VMs or custom ROMs can pass hardware integrity.

Comment by subscribed 19 hours ago

Well, only it isn't.

Very old, unpatched and rooted devices can fairly easily pass device integrity check.

It primarily assures the software vendor that the phone is running Google buttplug in the privileged mode.

Remember, handsets running on ANCIENT versions of Android with no patches for years. Whilst seems to be important to raise under the Forbes article (rightly) fussing about a couple of zero-days.

"Custom roms" (whatever that means) can easily spoof the checks in the specific situation (mainly hardware that allows for several things).

Comment by riedel 18 hours ago

What sense is does it make to certify an insecure device that may be subject to all kinds of remote exploits and elevated code execution as 'unmodified'. The argument of the banks is: the device is insecure (even with the latest patches). We all know the whole compliance is a bit more complex, so it might make sense on that level...

Comment by JohnTHaller 1 day ago

Google Pixel 7 and Pixel 7 Pro are still stuck on the October patches.

Comment by defanor 1 day ago

Pixel 6a used to show a September patch as the latest, but tapping "check for updates" found a new one. As mentioned in other comments here, apparently tapping those buttons twice may help.

Comment by JohnTHaller 1 day ago

I was clicking "Check for Updates" every few hours. Finally started working a bit ago.

Fun fact: Pixel 7 and Pixel 7 Pro didn't get a November update

Comment by cmurf 1 day ago

Can confirm on a Pixel 6a.

Says September is the latest system update. Click check updates, says it's up to date, click check updates again, says it's preparing system update and hangs out for a while - then says it's downloading and installing a 781M update.

WTF?

Update: OK finally the update completes an hour later, even the reboot took longer than usual - says it's "updated to December 5, 2025"

This phone running Android 16 for a bit over a month now.

Comment by BoppreH 1 day ago

You might be on a slow rollout group, I got the December patch on my Pixel 7.

Comment by gucci-on-fleek 1 day ago

The December updates for Pixel 7 and Pixel 7 Pro are available to manually download on Google's website [0], so the updates do exist, although Google might not be rolling them out to the general public quite yet. But the December update for Pixel 7a are completely missing from that website, and trying to update from the Settings app also shows no updates available.

[0]: https://developers.google.com/android/ota

Comment by fulafel 1 day ago

Is there a way to apply one of these manually (without getting into dev tools and wiping & flashing with the new image)?

Comment by gucci-on-fleek 1 day ago

There are instructions at the top of the link. You need to use "adb" from the command-line on a computer, but it won't wipe any of your data, so it shouldn't cause any data loss. If you don't want to use "adb", you might be able to use [0], but I haven't tested it myself.

[0]: https://flash.android.com/welcome

Comment by th3typh00n 1 day ago

My 7 is on the December one.

Comment by Grisu_FTP 1 day ago

> Samsung haven't even released the November patches yet.

My fold 6 has the November "security patch level" or what does that refer to?

Comment by j45 1 day ago

Samsung for the longest time was releasing updates way too late, and what they were releasing monthly was old patches.

Buying a device directly from Samsung may be different, but the manufacturer still has to usually convert the pure android update to their branch.

Still, trying to find a pure android phone is important. More manufacturers used to make them.

Example: https://www.androidauthority.com/best-smartphones-stock-andr...

Comment by crusty 2 hours ago

I thought Google was moving stuff out of the open source stock android branch and into their proprietary pixel development branch, such that the functionality of stock android has been diminishing to the point that a phone running stock android would be barely usable as the device we'd expect. Maybe I've read wrong and misunderstood though.

Comment by vbezhenar 1 day ago

> pure android phone

Do these even exist? Last phones I'm aware about were Android One program, but it ended years ago.

The link suggests Google Pixel, but it's not pure android phone, it's full of Google junk software.

Comment by 1 day ago

Comment by xnx 1 day ago

No fix yet for Samsung. Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

Comment by bigbadfeline 1 day ago

> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.

Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.

Provide a way to unlock the phones and a standard BSP, it should be the law.

Comment by chasil 1 day ago

If you are buying now, you want a device on a v5 Linux kernel with BPF support, where the bootloader can be unlocked and VoLTE is implemented in the 3rd-party ROM.

LineageOS has a build roster of current devices at this URL:

https://lineageos.org/Changelog-30/

The Pixels are the most flexible, but don't buy a model from Verizon (they don't allow unlocked bootloaders).

Most other OEMs require you to generate an unlock token and send it to them, then wait a week, which is extrememly inconvenient (and sometimes they just stop and refuse, as I understand OnePlus has).

If you want a locked bootloader at the end of the process for security, then you will be on a later Pixel with Graphene.

Comment by askvictor 1 day ago

Unfortunately, even with the best after-market support, banking apps and/or contactless payments becomes a cat-and-mouse game, that, even if it works, can stop working at the drop of a hat.

Comment by chasil 1 day ago

I can tell you that Wells Fargo works both on Lineage with Mind the Gapps, and Graphene with the Play store installed. I have it on my OnePlus 5 and Pixel 6a.

I understand that most U.S. banking apps work on Graphene.

As far as contactless payments, try a Pixel watch. I understand that it is entirely separate from the phone.

Comment by tadfisher 1 day ago

Provisioning payment cards on your watch without being able to run the phone app will be quite a challenge, however!

Comment by chasil 1 day ago

I have never tried this, as I am happier with RFID on my individual credit cards.

However, Google Pay will certainly run on my Lineage OnePlus 5. It will not provision localhost, but I am guessing that it will provision a watch.

I would go buy the parts and try it just to know, but I doubt interest would remain here by the time I assembled everything.

Edit: Graphene has a page on this subject, and Garmin appears to be the best option.

https://discuss.grapheneos.org/d/1040-compatibility-with-sma...

Comment by celeryd 1 day ago

> Being reliant on a single OS permanently nailed to the hardware is no less crazier.

Locking OS upgrades to a network vendor is substantially crazier. It creates pockets where the hardware vendor ships a security update but your network doesn't care to ship it and isn't incented to. It is BANANAS.

Comment by edoceo 1 day ago

Please try to e-recycle rather than normal land-fill trash.

Comment by secstate 1 day ago

e-recycling is only marginally better than a landfill. At least a landfill in pseudo-regulated government economy has the chance to be safely abated in 100 years. Though a few things of value are sometimes extracted, mostly it all ends in places like Turkey or India and burned or buried.

Sorry for the cynical take, but patronizing folks like this is worse than cynicism because it suggests that you actually believe what you're saying is true.

Comment by GuB-42 1 day ago

Just because one layer of the security stack is compromised doesn't turn your device into a paperweight. I know many people who use out-of-support and vulnerable devices and I am not aware of a single one getting pwned by a system exploit, it is always some kind of phishing or scam. This is anecdotal evidence but I couldn't find actual data, as most don't distinguish between malware that rely on system-level vulnerabilities (as in 0-day) and the ones that don't (like fake apps that steal credentials, mine crypto or inject ads). But it is clear that the former are a minority on Android.

If you don't know what to do with it because your security standards are so high, just give it to someone with lower standards then you, or use it for some project that doesn't involve sensitive data. And if security is broken to the core, there is probably some vulnerability you can exploit to root your phone and do whatever you want with it, including installing a custom ROM.

Still, I agree with you on making it mandatory to provide an unlock method, at least for out-of-support phones.

Comment by avadodin 1 day ago

It's not 1999 anymore. If you get RCEd today as a nobody you don't get a purple gorilla.

Just silently enlisted into a "Residential VPN" and a background script that checks for the SSID "Iranian Research Facility" every time you turn your wifi on for some reason.

Comment by _factor 1 day ago

"I've never had someone steal from my car, so the fact that my car lock doesn't work is not a problem."

Comment by GuB-42 1 day ago

More like: "Every time someone stole from my car, that's because I forgot to lock the door, that the lock can be picked is not a problem".

Sure, a thief may pick your lock, but unless he knows there is something valuable in there, he will probably go find a car the owner forgot to lock, it less effort and there are plenty of them, or he may look for more valuable targets.

Comment by JohnTHaller 1 day ago

I switched away from my flagship Samsung tablet when they pushed it to quarterly updates, meaning security issues often went unpatched for a while. In the fine print of the "X years of updates" they mention that they switch devices to updates only every 3 months and then every 6 months down the road.

Comment by ChocolateGod 1 day ago

I hoped with a move to Fuschia, Google would attempt to fix this, but unfortunately Fuschia on mobile is dead.

Comment by shwaj 1 day ago

It’s “Fuchsia” with a “chs” not a “sch”. Where do you get your information that it’s dead?

Comment by jcranmer 1 day ago

As Randall Munroe pointed out in https://blog.xkcd.com/2010/05/03/color-survey-results/, almost nobody knows how to spell "fuchsia" correctly. I only remember it by the mnemonic of it's fuck, but with an s.

Comment by Angostura 1 day ago

It’s helps if you know that the flower the fuchsia, was discovered by Dr Fuchs

Comment by eesmith 1 day ago

Named after, apparently. https://en.wikipedia.org/wiki/Fuchsia#Taxonomy

> The first to be scientifically described, Fuchsia triphylla, was discovered on the Caribbean island of Hispaniola (Haiti and the Dominican Republic) about 1696–1697 by the French Minim friar and botanist, Charles Plumier, during his third expedition to the Greater Antilles. He named the new genus after German botanist Leonhart Fuchs

See also https://en.wikipedia.org/wiki/Fuchsia_triphylla .

Comment by crazygringo 1 day ago

I vote to just change the spelling to what almost everyone already thinks it is anyways.

It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.

Comment by pwdisswordfishy 1 day ago

It comes from the surname of a German botanist. Which just happens to mean "fox". Never had problems with it.

It would probably help if you pronounced it right, with a /ks/.

Comment by umanwizard 1 day ago

The beginning of the English word "fuchsia" is not pronounced like the German word Fuchs, so indeed the spelling does not match the pronunciation. This is independent of the fact that it comes from that word. Plenty of things in English (and, in fact, loanwords in every language) sound different from the words they're derived from; that doesn't mean trying to imitate the source language is the "right" pronunciation. If you pronounce fuchsia like "fuksia" nobody will understand you.

Comment by darkwater 1 day ago

> If you pronounce fuchsia like "fuksia" nobody will understand you.

TIL and yet another case of "English is fucking weird".

Comment by 1 day ago

Comment by debo_ 1 day ago

Fuching weird, even.

Comment by darkwater 23 hours ago

:) Yeah, probably in this case English is doing the right thing, pronunciation wise. Anyway, checking in Google Translate the pronunciation it plays "fuksia", while Wikipedia has the right version.

Comment by lloeki 1 day ago

> But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling

In the word "french" C H is pronounced sh and nobody bats an eye, I don't think it's that outlandish that someone once read it as fuch-sia, incorrectly splitting it compared to the original.

In the language French, fuchsia is unequivocally read something more like few-shia, and I'd bet that even though it comes from German Fuchs-ia (fooks-ia) English has picked it up from the French side.

If you find such a loanword weird, don't you dare try reading Japanese.

https://aethermug.com/posts/the-beautiful-dissociation-of-th...

Comment by soiltype 1 day ago

> In the word "french" C H is pronounced sh

No, it's not. Unless you think the "n" in french is pronounced "nt".

Comment by lloeki 1 day ago

Fine, and legit. I get what I deserve for not looking it up!

Scaramouch and crochet though.

Comment by crazygringo 17 hours ago

Sure, and cache and cloche.

But the question here is chs, not ch. Which though rare, is widely understood to be a kind of guttural sound or "k" sound followed by an s. In -uchs or -ichs coming from German.

Not the "sh" sound in fuchsia.

Comment by 1 day ago

Comment by majoe 1 day ago

Damn, I always thought Fuchsia is just a colour, but today I learned

  - Fuchsia is a flower
  - which is named after a German botanist (Leonhart Fuchs)
  - Fuchsia in English is pronounced completely different than in German. 
  - Google is surprisingly bad at naming their products

Comment by crazygringo 1 day ago

> In the word "french" C H is pronounced sh

It's not, though.

Comment by surajrmal 19 hours ago

Fuchsia isn't dead. People just like to spread random misinformation on the internet. Source: I work on fuchsia.

The intention is to have a stable driver abi which should allow you to build an arbitrary OS on top (fuchsia itself is exceptionally modular and doesn't have a lot of opinions it imposes on products built above it). Of course similar to a Linux BSP not helping Fuchsia run, such a layer wouldn't enable you to run other OS on top that are not built on top of fuchsia. There is also a limit to what you can generalize in the OS layers as some products may implement private apis between themselves and specific hardware drivers. A stable ABI also implies that the drivers won't necessarily need to be open source, but if the goal is to keep the rest of the OS updatable even if drivers themselves are not updated, that is a necessary concession. There are also many other practical benefits to keeping drivers open source regardless of license obligations to do so. That all said I'm very optimistic about this direction regardless of these caveats.

Comment by mschuster91 1 day ago

That's always the case, even on Windows, even on Linux for closed-source third party drivers. The only exception is macOS because Apple insists on writing the drivers themselves - that was, in addition to Soldergate, the reason why Apple dropped NVIDIA.

Comment by ifh-hn 1 day ago

Are apples drivers open source?

Comment by AnthonyMouse 1 day ago

No. Which is why "the only exception is macOS" is also false. At some point Apple drops support for that model and then that hardware not only gets no more driver updates, because the whole system is tied to the rest of it, it gets no more updates at all.

So the only exception is systems with open source drivers. Those are basically supported as long as the hardware architecture is and enthusiasts even have the option of adding support themselves. You can install the latest version of many Linux distributions on the first generation of x86-64 hardware from 2003 and some on 32-bit PC hardware going back to the 1980s.

It should literally be a crime that you can't do the same thing on a five year old phone.

Comment by mschuster91 1 day ago

My point is that with macOS, Apple writes the drivers which means at least as long as the hardware is supported you can be pretty sure that there will be prompt fixes for any issue. With Android, Windows or closed-source Linux drivers (cough NVIDIA) you're left entirely at the mercy of whoever made the tiny little component controlled by the driver to provide a fix, which then has to bubble up through the ODM/OEM until it finally appears in an update you can install.

If you want fast responses to driver bugs, you only have Apple or a fully open-source Linux systems as an option.

Comment by ifh-hn 1 day ago

I can't see how the situation with apple is any better considering what you've said, you're still beholden to apple to provide a fix. Even if that fix might be quicker coming IF apple is currently supporting the device; not at all otherwise.

Comment by mschuster91 18 hours ago

> I can't see how the situation with apple is any better

Because in the Windows world, there often are no updates after maybe 1, 2 years. Chances are high, if you look in Device Manager of any reasonably new system, you'll find a lot of drivers dating back to before Covid and that's 5 years ago. Chances are even higher that if you look close enough, you'll find something being exploitable.

With Apple? Their track record for support is around 7 years.

Comment by AnthonyMouse 14 hours ago

Let's concede that Windows sucks.

If you have macOS, it's supported until the OEM (Apple) stops supporting it. If you have Linux with some proprietary driver, it's supported until the OEM (e.g. Nvidia) stops supporting it. If you have Linux with open source drivers, it keeps working pretty much indefinitely.

Meanwhile 10+ year old hardware is serviceable for many uses. A 15 year old machine from the scrap heap could have 64GB of RAM, a different one could have a low idle power draw for a use where that's the only thing that matters. Put a cheap SSD in a machine of that vintage and someone who is just using web and email could keep using it for the rest of their life.

Comment by RadiozRadioz 1 day ago

I'm really struggling to find any concrete information about what this vulnerability actually is. Does anyone know where to look for a good summary?

Comment by jfindper 1 day ago

>[...] there is a possible way to launch activities from the background due to a permissions bypass.

https://www.cve.org/CVERecord?id=CVE-2025-48572

https://android.googlesource.com/platform/frameworks/base/+/...

https://android.googlesource.com/platform/frameworks/base/+/...

>"In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed."

https://www.cve.org/CVERecord?id=CVE-2025-48633

https://android.googlesource.com/platform/frameworks/base/+/...

Comment by ActorNightly 1 day ago

Search CVE numbers.

https://www.cve.org/CVERecord?id=CVE-2025-48633

Basically, just like most things these days, its all just local privilege escalation. This means that you have to install/run an app that has these exploits built in.

Soif you usage profile doesn't include downloading apps from untrusted sources, you don't need to worry.

Comment by orbital-decay 1 day ago

In other words, if you ever need to install anything on your device, you do need to worry. What even could be trusted, a random app from Play Store?

Comment by lelanthran 14 hours ago

> In other words, if you ever need to install anything on your device, you do need to worry.

No, its "If you ever need to install some random app from the play, you do need to worry"

I installed the Teams app and Torque Pro today. I am not worried. I've also got the Sherlock games (purchased way back when) that I have yet to install on my new phone.

Installing that app also will not worry me. These apps are trusted because of the authors, not because of the Play store.

Worry is not binary, it's a probability, and you are at high risk if you're installing every rando's app on your phone and low risk if you are not.

Comment by rs186 1 day ago

What if an existing app gets an update that exploits the vulnerability?

For sure that's not going to happen to an app released by a major company, but there are lots of less known app created by many different developers.

Comment by ndriscoll 21 hours ago

Turn off app updates. If it's working now, why do you need to update it? Does the update add something specific you want?

Comment by skeaker 1 day ago

In other words, continue as normal: Don't install random crap you don't trust. That this is even newsworthy is kind of strange.

Comment by aleatorianator 1 day ago

[dead]

Comment by kelnos 1 day ago

> This [update] was rushed out to all Pixel users.

Pixel 8 here, still don't have the update. That's... not great.

Comment by int0x29 1 day ago

I think your carrier hasn't approved it yet. T-mobile seems to lag on these things. I also can't seem to find a system update. A Google Play system update does seem to exist

Comment by freitasm 1 day ago

We have an OS security update that is only release to users of a specific hardware, once approved by their mobile operator. It may be added to vendor-specific OS versions some time later (weeks, month or never). The vendor-specific may not be approved by a telco if the vendor doesn't have a relationship with that telco.

Now think that millions of people use the same OS on many different flavours, on different hardware, on multiple operators.

What an inneficient way of doing things.

Comment by rs186 1 day ago

I never understood why a mobile operator has any say in when to apply security patches?

Does it happen with iPhones?

Comment by snailmailman 1 day ago

Nope. When a new iOS update comes out, all supported devices may immediately install the update if they seek it out. Or it will usually auto update on its own, or at least nag the user to update.

It’s gotten slightly more confusing with the major updates now being optional. You get a choice between getting a feature update or just security patches. Unless I missed it, my phone never really asked me to update to the latest iOS 26. But I can, it’s there. I’m instead on the latest version of iOS 18. (They changed number schemes. 18 is last years major update)

Apple also does security updates for quite a long time. iOS 15, from 2021, got a security patch in September of this year, and works on the iPhone 6s from 2015.

Comment by SamaraMichi 1 day ago

iOS updates are not limited by the operator.

Comment by surajrmal 19 hours ago

Is this true for updates that might affect the way it interacts with the network (eg baseband firmware updates)? I assume it's much easier for iPhones to decouple that layer from the rest of the OS, which isn't the case for Android/Linux.

Comment by josephcsible 1 day ago

You can manually download the full OTA from https://developers.google.com/android/ota#shiba and install it with adb.

Comment by nervysnail 1 day ago

I'd suggest you to use GrapheneOS.

Comment by fluidcruft 1 day ago

How quickly did GrapheneOS roll out the update?

Comment by throawayonthe 1 day ago

Three days ago.

https://grapheneos.org/releases#2025120400

https://github.com/GrapheneOS/platform_manifest/releases/tag...

https://grapheneos.social/@GrapheneOS/115666650605430196

not sure how soon it made it to a majority of devices, but i do have it rn

EDIT: I was wrong, it's actually first mentioned in https://grapheneos.org/releases#2025102200

oct 22? https://github.com/GrapheneOS/platform_manifest/releases/tag...

Comment by 1 day ago

Comment by AlgebraFox 1 day ago

Faster than Google. Literally.

https://news.ycombinator.com/item?id=46173407

Comment by Cantinflas 1 day ago

Is the patch already available for GrapheneOS?

Comment by subscribed 19 hours ago

It was made available in the end of OCTOBER in the special security preview channel.

GoS has already deployed patches to some of the vulnerabilities you'll read about in January.

All the partnering vendors have access to the same bulletins.

Multi-billion companies like Samsung or Google had access to that since AT LEAST October. They chose to release these patches late. Some will release these patches months form now. Some, perhaps never.

So, the tiny team wins.

Comment by aussieguy1234 1 day ago

According to above comments, it was added 3 days ago. I'm updating to the latest release now.

Comment by 2OEH8eoCRo0 1 day ago

My friend is still on the Pixel 2. Are they affected?

Comment by petee 1 day ago

Pixel 2 stopped getting updates almost 5 years ago

Comment by tremon 1 day ago

That doesn't answer the question.

Comment by sva_ 1 day ago

There are two kinds of people:

1. Those who can extrapolate from incomplete information

Comment by tremon 17 hours ago

Please, feel free to extrapolate for me whether the "unspecified vulnerability" referenced in the article was introduced more or less than five years ago.

Comment by jeffbee 1 day ago

Just go to the software update, touch the button, then touch it a second time, and that will give you all available updates immediately, regardless of your random position in the rollout process.

Comment by Terr_ 1 day ago

Not working for me on Android 16, additional taps of the "Check for update" button in the bottom-right don't change the fact that it says "Your system is up to date" and that the last change was last month.

Comment by mrgoldenbrown 1 day ago

I see same behavior on my 8.

Comment by jeffbee 1 day ago

Could be model-specific. I got the update by doing that manually on my Pixel 8 Pro, that also happens to be on the beta track so there are a few confounders. But that is the way to get the latest software that is waiting to be released to your phone, without waiting.

Comment by Fishkins 1 day ago

I had the same experience as peer comments. I'm on Pixel 8 and Google Fi. When I check for updates, I'm told I'm up-to-date with the last update being over a month old.

Comment by voxic11 19 hours ago

Thanks that worked, so weird that you have to do it twice...

Comment by fluidcruft 1 day ago

I don't see it yet either and have mashed it a bunch (Pixel 7, T-Mobile). Says it's running October's update with no updates available.

Comment by baal80spam 1 day ago

This requires user action, right? User needs to install the APK by hand? In other words - if I don't install any crap on my phone I am safe?

Comment by pajko 1 day ago

Both mentioned CVEs seem to be about local privilege escalation. So basically yes, if you don't install crap apps, there's a high chance that you are protected. Problem is that it might not seem to be a crap app, but a nice-looking game, etc. Also an attack can come in with an update of any app you have already installed on your phone.

Comment by QuadmasterXLII 1 day ago

Threat model is probably third party ad and tracking libraries that pay to get into apps. If I caught it, I'd expect it to be from an app to use a parking deck, a colorful desk lamp, an otoscope etc where the developers sold out years ago

Comment by ajross 1 day ago

The point was surely more that apps being exploited via the Play Store can be mitigated there without client OS updates. The only hole here requiring the update needs a sideloaded attack.

Comment by array_key_first 1 day ago

Except the Play Store is a hot mess, and Google does little to no review of apps. Trusted repositories work best when the repository maintainers build and read the code themselves, like on f-droid or Debian. What Google and Apple are doing with their respective stores is security theater. I would not be surprised if they don't even run the app.

Comment by ajross 1 day ago

Again though, that's mixing things up. The question is whether or not mitigating the exploit requires an OS patch be applied promptly.

And it seems like it doesn't. If there is a live exploit in the wild (as seems to be contended), then clearly the solution is to blacklist the app (if it exists on the store, which is not attested) and pull it off the store. And that will work regardless of whether or not Samsung got an update out. Nor does it require an "audit" process in the store, the security people get to short circuit that stuff.

Comment by array_key_first 19 hours ago

I think it does - playing wack-a-mole with apps using frail heuristics is just not a reliable approach.

Comment by bigbadfeline 1 day ago

> if I don't install any crap on my phone I am safe?

We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.

Comment by ActorNightly 1 day ago

CVE records are public. All info is there.

Comment by londons_explore 1 day ago

Whilst the play store supposedly scans all apps for malicious behaviour, it's pretty easy to detect the test environment they use for testing and make malicious behaviour only trigger in situations Google doesn't test - eg. 5 days after installation, only if the device IP address changes at least once.

Comment by usrusr 1 day ago

I'd imagine the dalvik part to be pretty open to static analysis?

On the desktop JVM, I've seen bytecode that decompiled to a form more readable than the original source I got access to later...

Comment by londons_explore 1 day ago

Yes, but the JVM allows so much use of reflection that it's easy to hide an interpreter and then hide everything else from any static analysis.

Comment by ActorNightly 1 day ago

Yes (with caveats)

In todays world, web based exploits are pretty rare. The only time you really see this happen is with full proprietary systems like IPhones because the software stack on those is all intertwined between kernel code and user code, and things like sending a text message with some formatted characters can lead to reboots of phones. But even then, to gain a full command line shell or steal secrets is either impossible due to attack surface, or requires the phone to be in a specific state, like fully factory reset.

The only real danger is chains of trust being compromised, as in some attacker manages to insert malitious code into an already trusted app that uses these exploits.

On a side note i get kick out of reading HN comments about exploitation and hacking. I think people firmly believe that with enough time, a hacker can figure out how to basically take over your phone given any exploit, no matter what it is.

Comment by subscribed 19 hours ago

Oh, but they will, given enough time.

Remember Kevin Mitnick's most successful approach, social engineering :)

Comment by charcircuit 1 day ago

>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.

Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.

Comment by kwanbix 1 day ago

The problem is that each OEM releases 50 different models per year, vs Google (or Apple) that release 3 or 4 models.

Comment by shiandow 1 day ago

If that truly is an issue then Android is a fundamentally broken OS.

How many different models of PCs get released? How hard is it to patch any of their OSs?

Comment by reactordev 1 day ago

>How many different models of PCs get released?

If you want to go that route, each manufacturer is responsible for their own drivers for windows, linux, and possibly Mac (though if it’s novel enough, they will do it). Then think about the components that make up a PC. Motherboard, CPU, Memory Control, IO, OS, Audio, Video. Each of those needs to release patches. So its orders of magnitude more than any Android OS. It’s just pure laziness on the hardware manufacturers that don’t want to invest in software/support. They want Google to do that.

Comment by crote 1 day ago

The big difference with PC hardware is that the OS will get most driver updates for the individual components directly from the OEM. A driver update for, say, a sound card will directly be available to every machine with that sound card installed. The PC vendor doesn't have to be involved in any way.

It's the other way around with Android. Google does a new core release, and each individual manufacturer is responsible for modifying it for their devices. If you don't bother to upstream your drivers to mainline Linux and use a skin which heavily modifies core Android, backporting those fixes can quickly become a nightmare.

Comment by reactordev 1 day ago

Again, no sympathy as that’s the route they chose. Rely on Google for everything OS and make a phone whereas Apple made a phone and supplied an OS.

Apple made a product. Google made a software revenue stream. Entirely different things and now the Android makers are crying foul that they too have to do product engineering support. Nah. This is what you get when you rely on out of house innovation. I hope they all close shop. Not because I like Apple, but because they aren’t in the business of making products, only selling you hardware with bolt on software that it vaguely supports. Like buying a raspberry pi that can make phone calls. Google has them all by the balls.

Comment by thevillagechief 1 day ago

Yeah, and I also hope that all the PC makers close up shop as well. They rely on Microsoft for everything OS. Listen, you can just enjoy your iPhone in peace. Let other people make things, even if you feel they don't meet your standards.

Comment by array_key_first 1 day ago

No, I use Android and the security nightmare on Android is absolutely unacceptable. There is zero reason phones should rely on as many proprietary bullshit blobs as they do, and that's the root cause of this.

Even just looking past the bugs that almost certainly exist in the firmware, it makes these devices extremely difficult to update. Whereas on desktop, I get kernel patches expeditiously. Many Android devices are still running kernel 5, and of the ones running recent kernels, we're still waiting months for system patches.

If everyone just upstreamed their shit, then we would live in a Utopia.

Comment by reactordev 1 day ago

They don’t rely on Microsoft, quite the contrary. The OEM/ISV vendor relationship at Microsoft is the backbone of the company. Linux, servers, phones, infotainment, TV’s, robotics, all run a flavor of Unix (Linux being the primary, but BSD is in there).

For the consumer PC market, Microsoft cornered the market early on with IBM and HP with DOS. They then tried to pull the ladder and raise the gates when they went against OS/2 and Amiga. To win the Windows for Networks wars.

The only reason why majority of consumers use windows is because that’s how they want it. You can easily build a PC, no Microsoft Windows anywhere in a 1 km radius, and install Linux or BSD flavor of choice and be 90% there. Companies don’t want you to do that (i.e. Microsoft and Apple) so they preinstall the OS and it updates over the Internet whenever it wants to. Installing whatever it wants to. User choice be damned.

No, Pc’s don’t need Microsoft anymore than Rap needs p.diddy

Comment by 1 day ago

Comment by AshamedCaptain 1 day ago

But how are they doing to do the artificial market segmentation otherwise ?

(E.g. Samsung still limits Now brief to latest devices even though it is a 99% software feature + 1% cloud with 0 hardware requirements.)

Comment by crote 1 day ago

If you can't support 50 different models, then perhaps you shouldn't be releasing 50 different models.

Comment by TheDong 1 day ago

Weird how LineageOS supports ~300 devices while still managing to release patches.

I bet this CVE's patched quicker on a samsung device running LineageOS than the stock OS.

The real difference is that Google has a more competent software development process and release process than other android OEMs, regardless of how many different devices they have.

Comment by stackskipton 1 day ago

LineageOS doesn't customize the hell out of their OSes per device.

That's core of the issue. Samsung takes Android, customizes per device and then tosses them into the world. So now they don't have 1 OS to update, they have 100s of OSes to update.

Comment by arghwhat 1 day ago

That's still one OS. Customization is mostly userspace "system" apps that they swap out and maintain, but reused across all their phones with some small variation. Hardware enablement will differ between models, but that's just the cost of doing business.

Can be a pain to move the whole suite to a new major (porting all their inhouse apps, getting all the hardware enablement from vendors updated to match, ...), but we're not dealing with a major upgrade here.

A security patch is "just" a matter of taking the last release, applying the diff, build, qa, release. No customization.

Comment by klooney 1 day ago

The fix was released in September according to GrapheneOS, so you'd think they could have it out for the flagships

Comment by mrgoldenbrown 1 day ago

If they choose to release 50 models, they need to factor in the cost to maintain security on 50 models.

Comment by drtgh 1 day ago

They must release drivers and firmware for all the devices that they no longer support.

Comment by like_any_other 1 day ago

And 5000+ laptop models per year, yet linux runs on (pretty much) all of them. This is an entirely self-inflicted problem. They don't deserve an ounce of mercy.

Comment by jacquesm 1 day ago

And then you install that 'security patch' and end up with a borked phone, apps that no longer work, new apps that you didn't ask for and so on.

Give me just the security updates please.

Comment by BXLE_1-1-BitIs1 17 hours ago

I choose not to install any banking app and do my banking in incognito mode so that any malefactor who somehow gets into my device can't see where I bank.

Of course that leaves security in the hands of the browser.

Comment by DANmode 15 hours ago

Good news, they’re expecting and ready for that burden!

Comment by 1 day ago

Comment by rew0rk 1 day ago

While the information leakage/disclosure is a big issue, It feels like its still a big jump to get users to install off-Play Store APKs?

Comment by timothyduong 1 day ago

Considering there was a whole hubbub starting from late Aug 2025 RE: Certification of ALL Android apps/.apks: https://android-developers.googleblog.com/2025/08/elevating-...

Followed by a partial walk-back from Google in mid Nov 2025: https://android-developers.googleblog.com/2025/11/android-de...

I would say there is a substantial amount of users willing to install off-play Store .APKs. Substantial enough they're also willing to take a 'jump' and accept the risks/errors displayed

Comment by Squeeze2664 1 day ago

Is GrapheneOS affected?

Comment by bramhaag 1 day ago

GrapheneOS has patched this CVE back in September, as long as you've opted into the security preview releases: https://grapheneos.social/@GrapheneOS/115647360248469626

Comment by jackwilsdon 1 day ago

From what I can tell, if you're running the latest security preview release[1] then it's already fixed: https://grapheneos.org/releases#2025120400

[1]: https://discuss.grapheneos.org/d/27068-grapheneos-security-p...

Comment by 1 day ago

Comment by VortexLain 18 hours ago

Closely tieing hardware and software instead of using unified OS images like on desktop, together with play "integrity" lock-in are the reasons why there are no security updates and software freedom on the mobile.

Comment by resist_futility 1 day ago

nice list of vulnerabilities and source changes

https://source.android.com/docs/security/bulletin/2025-12-01

Comment by interloxia 1 day ago

CVE-2025-54957 critical rce in Dolby audio processing is a worry.

https://source.android.com/docs/security/bulletin/pixel/2025...

Comment by londons_explore 1 day ago

> with attacks that can achieve “remote denial of service

Denial of service doesn't sound so bad... Does a reboot of the device solve it?

Comment by yaro330 1 day ago

Forbes as always top notch journalism, what does Samsung have to do with Google updates and why are they indirectly blamed for Samsung's slowness?..

Comment by domoregood 1 day ago

https://archive.is/krzUC

Comment by 1 day ago

Comment by knorker 1 day ago

Why anybody would buy a Samsung product at this point I don't understand.

Every single Samsung product I've had to use is actively user hostile. Like a petty kind of hostile.

Comment by magicalhippo 1 day ago

I've been Samsung since S3, but recently picked up a cheap Motorola as a secondary. Been pretty satisfied with it, clearly not as fancy as the S23 I got, but decent enough. However they only get 2 years of Android updates, and I'm getting spammed by Motorola at least once a week of not more to install some silly game or whatnot.

I've also not been terribly impressed by the UX changes Samsung has made recently, lots of questionable decisions there.

What other decent options are out there?

Comment by dJLcnYfsE3 22 hours ago

https://www.androidauthority.com/phone-update-policies-16586... has summary of phone manufacturers update policy. It looks like for now the answer is: if you don't want an IPhone then grab Pixel and install GrapheneOS on it.

So no decent options for out-of-box experience.

Comment by morshu9001 1 day ago

They're cheap

Comment by knorker 22 hours ago

If the flaws were just about missing premium features, that'd be one thing.

But it's not. It's petty and abusive. For example, you can't see (I think it was) heart rate if you have a Samsung smart watch, but don't have a Samsung phone. They've gone out of their way to just not provide that, if you instead have a Pixel phone. And you need like 5 gigantic apps installed to manage it. Why is it not just one single Samsung wear app? Because they are abusive.

Comment by morshu9001 16 hours ago

I mean that people buy it cause it's cheap, not that it's a good idea. They don't even look at the rest. It's like an Altima.

Personally have no reason to consider anything but an iPhone, even if it has to be used.

Comment by TiredOfLife 1 day ago

They are the only ones that makes phones with usable stylus.

Comment by Noaidi 1 day ago

I don't understand why Samsung, with all their money, does not make their own fork so it does not have to rely on Google. I guess that is how they get all their money though. I was inches away from buying a 25+ this week. Glad I did not.

But I mean, why do we only have two choices of OS for phones (I did not include GrapheneOS because it not easily available for the normie)? That is what is ridiculous. And why, in the US, do I only get three choices of flagship phones when in Asia they have like twenty? I hate this third world country I am living in.

Comment by yaro330 1 day ago

They do have their own fork, they just don't have any of the security infra that google does. So they "rely" on Google for that.

Comment by kaluga 1 day ago

[dead]

Comment by purplehat_ 1 day ago

[dead]

Comment by charcircuit 1 day ago

This isn't accurate and is just an AI hallucination.

Comment by pogue 1 day ago

So it sounds like if you don't sideload apps you would not be at risk, correct?

Comment by gpm 1 day ago

I suspect the average person who installs apps outside of the play store is still much more likely to be infected via malware that dodged the playstore's detection than the apps they install from other sources, because there's usually considerable trust involved with the other sources.

In particular they're usually f-droid and open source apps compiled by f-droid.

Comment by barrkel 1 day ago

Look here: https://vulert.com/vuln-db/CVE-2025-48633

It has to do with setting the device owner, and gaining those powers; enabling / disabling apps, remote wipe, etc.. It's a local privilege escalation attack and doesn't require user interaction.

Comment by 4ndrewl 1 day ago

Conveniently Google can use this to justify banning installs from unofficial stores.

Comment by weberer 1 day ago

What did you use to make that chart? It looks really nice. Its the first time I've see these ASCII boxes on HN without gaps in the border.

Comment by nutjob2 1 day ago

> The Forbes link unfortunately doesn't say much about how it works.

True, it says almost nothing of value about the exploit, but it does teach us that 30% is almost one in three.

Comment by da_grift_shift 1 day ago

Is this guy going to make a slop repo for every new CVE in a high-profile product advisory so he can rack up some stars and put this shit on his resume? Jesus fuck.

This is just polluting the namespace and making it harder for blue teamers and incident responders to share IOCs.

His repos either lack a PoC and just contain a README with more emojis than facts; try to pass a public version checker off as a PoC; or invent a non-working PoC in the absence of technical details.

Bullshit asymmetry.

Comment by baaron 1 day ago

My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.