Google Play System updates provide very few security patches and this only applies to devices with Android 10 and higher and most APEX modules are only updatable in later versions.
And the annoying thing is that on some phones (like Samsung phones recently, twice), the Play System updates get blocked for months on end. Worse, people who buy a new device are often stuck on ancient versions.
I recently tried an Android phone again for a few months, and the update/security situation is still a mess. E.g. Samsung does monthly updates on more premium phones. But a former flagship like the S22 would sometimes only get the update near the end of the month, even before the S24 is out. Having a phone with known CVEs for the better part of a month is… meh.
For some vendors, like Samsung, things are much better than a decade ago, but it’s still a far cry from Apple rolling out updates to all models simultaneously.
> Samsung does monthly updates on more premium phones. But a former flagship like the S22 would sometimes only get the update near the end of the month, even before the S24 is out.
This is complicated by their rolling updates per country, it can be few weeks between the first CSC (3 letter identifier for country and carrier variant) to receive an update and it being rolled out to the final one.
I was towards the end of that update cycle, so the Android security patch level could become quite detached from the actual month.
>Having a phone with known CVEs for the better part of a month is… meh.
Out of curiosity , have you ever encountered any malware that exploits said CVEs? If a month delay would be so dangerous, Android users, even of new devices would be getting pwned left and right, let alone Android users of device no longer getting patches.
Source: Android user of old phone who hasn't been hacked yet so I'm not sure where exactly the dangers are, as the attack surface is mostly the web browser and the apps, both of which are scanned and covered by up-to-date patches from Google Play Store/Services even on my ageing phone. So as long as you don't browse extremely dodgy websites, and don't download shady apps you should be good as nothing else can't get to the Kernel CVEs on your unpatched phone.
Yeah, I'm sure some crafty malware dev can whip out a targeted virus that can exploit the chain of open CVEs on my particular phone through a MMS message or something, but I'm not sure targeting the 100 or so users left still using this old OnePlus model that's worth less than 20 Euros used (pointing to a user without much income), is a good use of their skills and time, when they could be frying much bigger fish with that know-how like going after Microsoft's Azure or something.
Nor am I being targeted by state actors who have these means. And if you are being targeted by state actors, they have access Zero-Days that even Apple or Google haven't patched yet so you're not safe anyway no matter what phone you have.
> If a month delay would be so dangerous, Android users, even of new devices would be getting pwned left and right, let alone Android users of device no longer getting patches...Android user of old phone who hasn't been hacked yet so I'm not sure where exactly the dangers are
What are the odds that you'd ever know if you were hacked? If you have root access on your device your odds of being able to see something amiss are probably somewhat better than if you don't, but even then I wouldn't count on it. How many people detected Predator/Pegasus? It isn't just state actors taking advantage of zero days. A zero day gets that malware on your system, but once it's infected how would you know? There have been reports that millions of android phones are infected at the factory. (https://www.theregister.com/2023/05/11/bh_asia_mobile_phones...)
I don't know how you could possibly be confident that your device isn't infected with something. The devices are designed to keep you from having the ability to poke around too much at their internals and the radios make it difficult to monitor exactly what's being sent/received to the device.
>What are the odds that you'd ever know if you were hacked?
Would you know?
>I don't know how you could possibly be confident that your device isn't infected with something.
Easy, my bank account is still full.
How are you confident your phone isn't infected? Being up to date is no guarantee. Until you can poke around with root access to inspect everything it's still Schrodinger's cat in a black box you trust to not be dead inside.
Because how would malware ever make it into my phone? It doesn't just magic itself onto your device once it stops received updates. It needs an entry point off the attack surface. And what's my attack surface since all your examples don't apply to me?
I never download shady Apps from the likes of Huawei AppGallery lol or even off the PlayStore and I don't use Android 5. All apps I use are whatsapp and Google chrome, and I also don't browse shady websites on my phone.
That assumes the malware is intended to take your money instead of your data, or even just your internet connection. Malware can be used to attack/infect other devices or even just click ads. What kind of harm could someone who had full access to your device, including access to your internet activity, texts, location, camera, and microphone do to you without telling you about it (blackmail).
> Because how would malware ever make it into my phone?
Maybe it was installed at the factory. Maybe it came from literally any one of the many many vulnerabilities that made it possible to infect your device without any indication. Android phones have been compromised via text message, via Bluetooth, via QR code, and via apps.
It's great that you aren't doing anything obviously risky, but that isn't a requirement to get infected and the problem is you just can't know. You aren't the admin of the device. You don't have the authority to control what it does. You aren't allowed to see what it's doing. You can't see who it's communicating with or when.
I've also used phones which haven't received any updates for years without any obvious problems. Just maintaining basic digital hygiene like you do. In theory, one could use a zero-day in a web browser (like the recent libwebp vulnerability), then exploit one of the numerous CVEs in one of the system libraries or the kernel, and own the phone that way even without you doing anything worse than visiting a random website. For example, that's how one of the the first methods of jailbreaking PlayStation 4 operated.
Your average Joe six-pack like myself probably shouldn't really worry about it though, it seems more likely to be used against really high value targets.
You might want to try out another web browser that has aggressive ad blocking (Firefox, Brave, or Vivaldi should do it) since ads are one of the major methods of spreading malware.
>You might want to try out another web browser that has aggressive ad blocking (Firefox, Brave, or Vivaldi should do it) since ads are one of the major methods of spreading malware.
Under rated advise. Too bad said Joe six-pack donesn't follow it because it thinks other browsers "have viruses"
Are you suggesting we've got a statistically valid sample of Android users here to suggest that drive-by RCE exploits that have been published and patched on modern Android devices are essentially just a fantasy and aren't actually concerns at all for unpatched devices? And that the people in this sample would always clearly know their device was compromised?
FWIW, while I don't think I personally had an Android device hacked, I do think I've had family members with devices potentially hacked. One family member running an older version of Android continued to have lots of accounts constantly getting stolen despite using a password manager and unique complicated passwords. Pretty much any time they'd be logged in to an app there would begin to be fraudulent orders or other mischief on that service. They never installed shady apps. Rotate the password on another device, no problems for a while. Log in on the phone again and within a day or two have the mischief start again. All that stopped after replacing the device.
Another family member started getting popover ads on their device despite not having any odd apps installed that would be the cause. Even after a "factory reset" the popover ads continued to plague the device, as if it was embedded in the ROM.
My bank app is sht, The 2FA is EMBEDED in the app; in the beggining it was a separate app. It also needs Google Play Services. And I live in a third world country with little accountabilty. On top of all that, most people use very cheap chinese phones which never get any update.
Still, bank accounts have never been depleted through hacking of phones.
To be fair, it's non-trivial to convert hacked bank credentials to actual cash, due to anti-fraud measures, KYC rules, and reversibility built into the finance system. A better indicator would be $1000 worth of BTC on an unencrypted wallet not being hacked.
True, given that the average android phone probably needs 100s of CVEs patching, it's kinda weird that there's not obvious epidemic of phones being hacked
If something is actively exploited they definitely don't wait to months end. Also a Google update is not urgent if the vulnerability is not really exploitable on Samsung (they have some additional security) or a fix is already backported.
