For the second time in just 12 weeks, Google has suddenly warned owners of its Pixel smartphones that a new security vulnerability “may be under limited, targeted exploitation.” August’s security update is now live and you need to ensure it installs on your device as soon as it becomes available for your model, carrier and region.
The new threat affects Android’s core kernel, and Google says it “could lead to remote code execution with system execution privileges needed.” As ever with such vulnerabilities, there’s little additional detail at this early stage, but the known exploit seems to have been discovered by Google’s own TAG threat hunters, and so is likely to be attributed to a major league cyber group, spyware outfit or even nation state.
Despite Google telling users that “source code patches will be released to the Android Open Source Project (AOSP) repository in the next 48 hours,” suggesting delays for non-Pixel users, Samsung seems to have prioritized a fix, which is included in its own August security update, released Tuesday, the same day as Pixel’s.
In addition to the headline zero-day, there are a range of other security and bug fixes in both the general Android and specific Pixel update for the month. None of the others are standouts, and most Android users will now be more focused on the release of Android 15, with expectations a timeline could be confirmed this month.
Android 15 significantly moves the bar on security protection for Pixel and other OEMs, with new features including protection from cellular intercept technologies, scam callers and device theft. But the headline update is AI-powered live threat detection, which can monitor an app’s behavior on-device and warn if it seems to be following patterns typically seen with malicious installs.
Android 15 comes just as Google tightens its Play Store rules, promising to delete man y thousands of low-quality apps, which will include those most likely to be hiding threats. There is also a noticeable tightening of Play Protect restrictions and less open flexibility on sideloading apps from less reputable sources.
As for the new zero-day, there seems to be far more alignment between Google and other OEMs this time around. The June update was a mess. The vulnerability was initially tagged just for Pixel, before Google confirmed it impacted others as well.
That zero-day prompted the US government to issue add the threat to its Known Exploited Vulnerabilities catalog, giving federal employees with Pixel devices 12-days to update their phones or stop using them. We don’t know yet whether we’ll see the same this time around. I’ll provide an update here if so.
Meantime, keep an eye out for the August update on your phone.