Google warns that android Smartphone manufacturers need to get better at fixing their devices.
in blog post (Opens in a new tab) Published by Google’s cybersecurity arm, Project Zero, researchers explain how Android’s greatest strength – Decentralization if its ecosystem – is also its greatest weakness.
As it is now, it says patching The process is too slow, too cumbersome, and too divided, putting consumers at risk of vulnerabilities that are known and relatively easy to exploit.
decentralization problems
Although Android was created by Google, it is based on Linux, and it is basically an open source solution, so it is a third party. smart phone Manufacturers like samsungOppo, LG, and OnePlus can take ownership of their OS version.
As a result, when Google releases a patch, it must first be analyzed and modified by the manufacturer, before being pushed to the device. This means that Android users may be at risk of being hacked by malware For a long time.
If that period has elapsed for too long, and Google releases details of the vulnerabilities to the public, this gives cybercriminals a unique opportunity to compromise. endpoints Without having to search for zero new days.
In contrast, Apple offers a closed ecosystem for its devices. The company is responsible for building most of its hardware and software. So, with updates so tightly under Apple’s control, whenever the company releases a patch, most endpoints get it fairly quickly.
This is exactly what happened with CVE-2021-39793, a security vulnerability in the ARM Mali GPU driver used by several Android devices that Radar Pro Technology mentioned in November 2022.
Once Google finished its investigation of this zero-day in July 2022, it reported the findings to ARM, who then corrected it in August 2022. Thirty days later, Google announced its findings.
However, Google found that all test devices that used Mali remained vulnerable to issues. It said at the time that “CVE-2022-36449 is not mentioned in any final-stage security bulletins,” which raised the issue of what it called a “patch gap.”
“Just as users are advised to patch as soon as possible as soon as a version containing security updates becomes available, the same applies to vendors and companies,” the blog post reads.
Arguably, “reducing the ‘patch gap’ as a resource in these scenarios is even more important, as end users (or other vendors) block this action before they can obtain the security benefits of the patch”.
“Companies need to remain vigilant, follow primary sources closely, and do their best to provide full patches to users as soon as possible.”
