1. Are you ready for the Galaxy S20? Here is everything we know so far!

Software update after new malware

Discussion in 'Android Lounge' started by Macnerd, Sep 20, 2021.

  1. Macnerd

    Macnerd Newbie
    Thread Starter

    I have a Samsung S10. It's loaded with bloatware. It's my last Android phone with bloatware.

    I'm thinking about getting a Pixel 6. I know that manufacturers of bloatware Androids take months to send out software updates. How quickly does Android send out updates to Pixels if there's new malware?

    1. Download the Forums for Android™ app!


  2. Hadron

    Hadron Smoke me a kipper...
    VIP Member

    Pixels receive monthly security updates, which occasionally contain new features as well. Of course that's how often the updates come out, it does not mean that the response to a particular exploit will appear in the first update after its discovery.

    Though I might note that Samsung quite often release the security patch a day or two earlier than Google do, at least for their flagships. Major OS updates are much slower, but for security patches they have got a lot better.
    ocnbrze and Dannydet like this.
  3. ocnbrze

    ocnbrze DON'T PANIC!!!!!!!!!

    Just curious as to what you mean by new malware? Samsung does a decent job of security updates. Not sure on Pixels, but i would assume that they are among the first to get security updates.

    Plus android does not have viruses, malware yes. But malware is pretty hard to get. I have been on Android since day one and have never used any anti- virus/ malware app and I have always had a clean phone.

    As long as your careful and use common sense, you should be fine.
  4. Macnerd

    Macnerd Newbie
    Thread Starter

    Thanks for the quick reply.

    The reason why I ask is because I read online that Apple recently issued a software update for a malware download. One doesn't need to download the new malware to the iPhone. Somehow it is downloaded to the owner's phone without the owner being aware that the phone is infected with malware.

    One day my phone was making a lot of noise. A Verizon app was downloading Chime(you've probably seen the TV commercial) to my phone. I tried to stop the download. I failed. I restarted the phone & the download continued. I had to manually uninstall the app. I disabled the Verizon app. I was mad that the Verizon app downloaded Chime without my permission. I swore that I'd never again get a phone with bloatware.

    I pay off my S10 in March of 2022. Then I want to get a bloatware-free phone. I've never had an iPhone. I do have a Mac mini desktop & a MacBook Air.

    That's why I asked the question. I'm wondering how quickly Pixels get software updates after a zero-day attack.
  5. ocnbrze

    ocnbrze DON'T PANIC!!!!!!!!!

    Never had any issues with my Note 10+ or my Fold 3 with Verizon as far as downloading anything without my knowledge. Been with them for almost 2 years and all is good.
  6. Hadron

    Hadron Smoke me a kipper...
    VIP Member

    Yes, this was a patch for a security flaw in iMessage that was being exploited by the Pegasus spyware to allow zero click infection. So that particular exploit will never affect Android, because only iDevices can run iMessage, but of course that doesn't mean that others exploits won't appear for Android.

    It had in fact been used by the developers of this spyware for several years without Apple being aware (which you might argue is an illustration of the closed-source "security through obscurity" model's weakness). It was only when some press organisations got access to data that showed how it was being used (by the spyware company's clients, all national governments, to target inconvenient people like opposition politicians, journalists, human rights activists, etc) and the story made headlines that Apple became aware and acted.
    Sounds entirely fair to me. The worst bloatware providers seem to be service providers such as VZW rather than phone manufacturers, so part of my solution is never to buy a phone through a carrier (though British carriers don't seem to be as bad as many US ones - I have the impression that VZW are about the worst on the planet for this).
    And the answer is basically "as quickly as any Android phone will", since it is Google who provide patches to the Android OS - though, as noted, Samsung have sometimes actually released the patch they receive from Google a couple of days before Google release it themselves. But for an OS fix Samsung, and all other manufacturers, receive the patch from Google; the only case where a manufacturer would be making the patch themselves would be if they introduced a vulnerability via one of their own apps or modifications, and hence it was specific to their devices. Therefore as long as we are talking Android, nobody is going to get the patch significantly faster than a Pixel.

    How quick that is will depend on when they find out and how complex it is to fix, so you can't give a definite answer. What usually happens with such vulnerabilities is that they are discovered by a security researcher (or sometimes someone in the company) and the company is warned privately, with the vulnerability only being revealed publicly when a fix is available or imminent. Hence it's hard to say from outside how long this normally takes. Sometimes people go public with information about the vulnerability because they think that the company (Google, Apple, Microsoft, whoever) is taking too long to provide a fix. I've never seen any evidence that one or other of these companies is overall quicker at patching things, but it's hard from the outside to really know (they'll all claim to be the best, but then they would say that...).

    The iMessage bug that Pegasus was exploiting was unusual in that as far as I can tell it became known through journalistic investigation rather than security research. Even then I don't know at what point Apple would have known: the story got widespread publicity when a few journalistic organisations who had been investigating this stuff got hold of evidence of how widely it was being used and who was being targetted, but I'd been reading about its existence, and abuse (always denied by the developers), for many months before that, and if I as a private citizen knew of this stuff you'd hope that all of these companies would have someone paying attention to such things, even though there is a difference between knowing that there is a vulnerability and knowing what it is. So I really cannot say when Apple would have known of the iMessage vulnerability, and hence how long it took them to patch it. Of course the patch was rather dramatically rushed out, but by that time there was a story out there that many people were being spied on using a vulnerability in their iPhones, which was a public threat to one of their marketing messages, so they had to be seen to be acting quickly. But that doesn't tell us what they knew and when, and hence how long it took to develop and test the patch - though given that they couldn't possibly risk releasing an insufficiently-tested patch to something like iMessage I doubt that this was a matter of days, no matter what impression they would like to give.
    #6 Hadron, Sep 21, 2021
    Last edited: Sep 21, 2021
    Dannydet, mikedt and ocnbrze like this.
  7. Davdi

    Davdi Android Expert

    It's usually called 'Responsible disclosure' The discoverer of the flaw/bug/security weakness tells the company, with the caveat that they'll make it public if the problem is not fixed within a given time-frame (usually 90 days, but may be shorter if the problem is known to be currently exploited 'in the wild'). If you kn ow the problems CVE number, you can check on it at https://www.cvedetails.com/
    ocnbrze likes this.

Share This Page