Samsung issues update warning for Galaxy smartphones as Google confirms new threat

July 3 Update: Details on Google’s latest Pixel phone update.

Samsung has once again outpaced the Pixel when it comes to revealing details about this year’s security patch. But be warned, this update is actually bad news for your Galaxy device — the alarming issue is what’s missing, not what’s fixed.

Google has confirmed that Samsung and other Android devices are vulnerable to the same security risk that Pixel’s zero-day warning came out in June. While Pixels have been patched, Samsung devices haven’t. And it wasn’t addressed at all in the July update. Considering the threat was serious enough to warrant a warning from the US government, you should be very careful about your exposure.

ForbesMicrosoft Windows Deadline – You Must Update Your PC by July 4thBy Zak Doffman

Samsung update does include four other critical Android security warnings, though three of them patch Qualcomm’s vulnerabilities and were delayed from June’s Android update. Samsung warns users that component updates may arrive later than software and firmware fixes, but Pixel managed to get them out faster.

At least the other critical Android update in Samsung’s July build is up to date and was released immediately. Google warns that CVE-2024-31320 affects the core Android framework and “may lead to local privilege escalation without requiring additional execution privileges.” Consider that in itself a warning to update.

In addition to the broader Android fixes, Samsung is including the usual list of its own fixes, including critical updates to address input validation risks. Samsung warns that this could allow a remote attacker to execute arbitrary code by compromising secure control data on the device. While “user interaction is required to trigger this vulnerability,” meaning some form of UI message that the user would have to follow, this could be hidden in a number of different ways.

But a much more serious issue is the lack of a zero-day patch for Pixel.

Last month, Google warned Pixel phone users that the CVE-2024-32896 vulnerability “may be subject to limited, targeted exploitation,” and the U.S. government ordered federal workers to update their Pixel devices by July 4 “or discontinue using the product.”

This Pixel patch was the second part of the April patch, and GrapheneOS, which was behind the reveal, warned that “there are two security vulnerabilities that are being fixed,” GrapheneOS wrote. “Neither issue has been fixed yet outside of Pixels.”

Google confirmed this, telling me that “Android Security is aware of this issue and after further analysis, we have determined that it impacts the Android platform… Pixel devices that have the latest security update installed are protected… we are prioritizing applicable fixes for other Android OEM partners and will deploy them as soon as they are available.”

And while Google says that “additional exploits will be needed to compromise the device,” this is exactly the combination of multiple vulnerabilities combined into a chain attack that GrapheneOS is warning about. There is currently no patch for any device other than Pixels, and it could be months before one is available.

GrapheneOS also warns that another flaw — CVE-2024-29745 — still poses a threat to Samsung and other Android devices and has only been patched for Pixels. “CVE-2024-29745 is a more serious issue,” I was told, “and was fully patched in April for Pixels, but other devices do not yet have this protection.” Because it’s a firmware issue, it needs to be patched by the OEM. And that will take some time.

That risk of Pixel being patched while others aren’t is starting to form a pattern — and that’s not good news if you just spent more than $1,000 on a new flagship and expected it to be fully secured. I’ve reached out to Samsung for comment on these vulnerabilities after receiving confirmation from Google.

ForbesBeware of this dangerous HR email at work – delete it immediatelyBy Zak Doffman

Google has been lagging behind Samsung in recent months when it comes to its own Pixel update bulletins. But not this month — at least not by much. Pixel users now have details about their own July release. Unlike Samsung’s July patches, this year’s Pixel updates are pretty light. But there are also broader Android updates that are more extensive, covering critical software and hardware updates that Google says are included in a Pixel update.

And that in itself is a problem for Samsung users — because they don’t get the same timely fixes. Aside from the Pixel zero-day, which is still an active security flaw on Samsung devices and will remain so until it’s patched, not to mention CVE-2024-29745, the Pixel has subtly become more and more like the iPhone in its combination of hardware and software in a seemingly integrated offering. While the Pixel is still dependent on carriers to push its software, it’s presenting a more cohesive offering.

Samsung is in trouble. Google is now getting into its groove with the Pixel, which is no longer a bet. The rapid addition of its own AI to Pixel devices that are clearly optimized for that software promises much fiercer competition in the years to come. And while both Pixel and (especially) Galaxy have their eyes on the iPhone, Pixel’s more immediate target is Samsung and the hundreds of millions of devices it already sells to users committed to the Google-controlled Android ecosystem.

Even on the AI ​​security and privacy front, where earlier this year it seemed that Google would be very cloud-based, giving Samsung’s hybrid AI offerings some market share, that has now changed. The market is becoming more focused on the privacy benefits of device-only AI, and Google is responding to that. Its control over Android’s core AI offerings and Pixel hardware is a clear advantage.

None of this will seem edgy yet—Samsung’s flagships are flying off the shelves. But it’s a fickle market, and AI will be a generational shift that will make it even more pronounced. There will be a lot of users switching brands, even platforms.

Pixel is more of a software game than hardware, and in that respect it differs from Samsung and Apple. But AI has changed the equation for users. And when it comes to security, the integrated hardware/software ecosystem that Google controls gives it the ability to match Apple’s approach in a way that Samsung has clearly shown it can’t.

ForbesFederal Agency Issues New Warning If You Use Airplane Wi-FiBy Zak Doffman

Samsung still holds onto its position in the premium Android market, but Google is focused on catching up and has a real advantage. That really came to light in recent months. Samsung users have noticed delays in component updates — particularly from Qualcomm. And that contrasts with the Pixel’s more immediate release of these fixes. This new warning — a belated admission that the Pixel zero-day isn’t just a Pixel issue after all — is a serious mistake and needs to be addressed — fast.

Android 15 isn’t too far off, and while the release will add a slew of new security updates and improved user protection, it will also hopefully iron out some of those lingering issues. But that’s a long time to wait. In the meantime, Samsung users should update as soon as this month’s update becomes available for your model, region, and carrier.