Updated on October 30 with an update on Samsung’s head-to-head with iPhone for global shipments and a potential branding change, both impacting the more secure, premium handset market. This article was originally published on October 29.
Millions of Samsung Galaxy phones are now at risk from a severe hardware vulnerability—the second such warning in just the last few weeks. And while the latest monthly security update fixes one of those threats, the other remains a threat. The US government has told users to update their phones by Tuesday October 29—the bad news is this means the deadline has just arrived before the update. Yes, you need to update your phone—but no, right now you can’t.
Both vulnerabilities have prompted active attack warnings. One from Google, which alerted Galaxy users that CVE-2024-44068 has been targeted as “part of an exploit chain” alongside other vulnerabilities. This is a “use after free” threat to Exynos processors, meaning memory access isn’t being shut down after processing, with latent pointers remaining. This can be leveraged by malicious code. It mostly affects older phones and was patched by Samsung is its October update.
The second alert came from Qualcomm and impacts a wide range of mobile devices, not just those from Samsung. But given Samsung’s position as Android’s dominant OEM, the impact on their install base will be greatest. The issue is the same kind of use after free memory vulnerability, and it has also resulted in active attacks.
Earlier this month, Qualcomm acknowledged “indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” confirming that fixes were made available to device OEMs in September. It urges OEMs to deploy those patches “on released devices as soon as possible.”
CISA—the US cybersecurity agency—added CVE-2024-43047 to its Known Exploited Vulnerability catalog, warning that “multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory.” All federal employees have been mandated to “apply remediations or mitigations per vendor instructions,” by October 29, “or discontinue use of the product if remediation or mitigations are unavailable.”
Put simply, that means update or stop using your phone. There is no update as yet for Samsung phones. CVE-2024-43047 wasn’t included in the Android or Samsung October updates, and so that deadline is impossible to meet. It is widely expected that the issue will be fixed in Android’s November security update, but there is a good chance Samsung Galaxy users will have to wait another month.
Samsung told me it “takes security issues very seriously. We are aware of the report regarding potential vulnerabilities in some of Qualcomm’s chipsets and have been working with Qualcomm to address this issue. We have started rolling out security updates since October, but updates may continue being released at a later date, which will vary by network provider or model. We always recommend that users keep their devices up-to-date with the latest software updates.”
Meantime, it warns “some patches to be received from chipset vendors may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver.”
And so owners of Samsung models as recently as some Galaxy S23 devices are left in the impossible position of an update deadline they simply cannot meet. As I have said before, just make sure you check November’s update as soon as it’s released. Until then, the vulnerability remains a risk.
The good news for Samsung users might be signs of life for the One UI 7 beta, which finally brings Android 15 to Galaxy phones much later than expected. SamMobile has reported that while the company didn’t reveal the beta at its recent US developer conference, “it appears that it could open the beta program at the SDC 2024 event in South Korea in November.” Nothing confirmed yet, but that would generate huge excitement as Android’s biggest OEM gets its biggest security update yet. Theft protection, live threat detection and private spaces could be on display soon.
Meanwhile, hitting CISA’s deadline may not be the only impossible task on Samsung’s immediate to-do list. There is bad news for the Android OEM by way of the latest stats on global smartphone shipments, as the company battles Apple in the premium segment—with Google’s Pixel also eroding some of its Android market share at the expensive end, and low-cost Chinese players coming up from behind, with cheaper units offering much of the same technology.
The Financial Times reports that “Samsung Electronics is struggling to hold on to its crown as the world’s top-selling smartphone maker, compounding a mounting crisis at South Korea’s largest company.” IDC has just issued an update on third-quarter smartphone shipments, showing Samsung down 3% year-on-year, from 21% to 18%. “Analysts estimate that its smartphone division’s operating profit dropped by as much as 30 per cent over the same period,” the FT reports.
It’s iPhone that matters most, of course. Which is why Korean media reports suggest “Samsung is reviewing the brand subdivision of ‘Galaxy’ smartphones consisting of various lineups.” The idea being that the Galaxy brand would be reserved for premium, flagship handsets coming with iPhones, not for the lower-cost models.
This could have implications on security as well as on AI, which have become two of the defining drivers in the premium segment. With expectations now that devices will be supported—meaning security updates—for as long as six or seven years as standard, there are clear cost and component implications. The same is true for AI, with the privacy-fueled drive for on-device processing upping build costs.
“Samsung Electronics has always been in the lead in global smartphone shipments,” says Korea’s E Today, “but sales are gradually decreasing. In addition, it lags behind the iPhone in the premium lineup, which is important in terms of profitability. In particular, the preference for iPhone among young consumers is noticeable.”
As I reported earlier in the week, this divide between Samsung and iPhone could well be exacerbated by AI, with Apple’s Private Cloud Compute offering a game-changing level of cloud security and privacy for off-device AI processing. If this becomes the logical extension of “what happens on your iPhone, stays on your iPhone,” then Samsung will need an answer. Could we see security and privacy as a differentiator in a more exclusive, premium Galaxy category—maybe.