Google's monthly security update for Android this month was heavy on vulnerabilities in third-party components. The diversity of Android devices means Google has to stay on top of vulnerabilities in various chip-set and other hardware drivers.
Unlike Apple, Google doesn't control all the elements in the Android ecosystem, so keeping Android secure becomes a supply chain problem. Google has to depend on chip-set partners to improve their testing process before contributing code to Android and to promptly submit patches to fix vulnerabilities.
Of course, Google can keep releasing security updates, but so long as carriers and manufacturers control the update process for the vast majority of devices, very few users reap the security benefits.
Of the 40 vulnerabilities fixed in June's Android Security Bulletin, half were in third-party code, across multiple Qualcomm components, the Broadcom Wi-Fi driver, the Nvidia Camera driver, and the MediaTek power management driver. Critical and high-severity vulnerabilities were fixed in Qualcomm drivers for video, sound, GPU, Wi-Fi, and camera, affecting Nexus 5, Nexus 5X, Nexus 6 and Nexus 6P, and Nexus 7 devices. The Broadcom fix impacts Nexus 5, Nexus 6 and Nexus 6P, Nexus 7, Nexus 9, Nexus Player, and Pixel C devices. The escalation-of-privilege flaw in the Nvidia Camera driver exists in Nexus 9 and the MediaTek bug is found only in Android One.
For the past few months, Google has been quietly patching flaws in third-party drivers from Qualcomm, Nvidia, MediaTek, Broadcom, and Texas Instruments. Since January, Google has addressed 22 vulnerabilities in Qualcomm drivers alone. For the most part, they were critical or high-severity elevation of privilege flaws, although there were a handful of information disclosure bugs of moderate severity. The escalation-of-privileges flaws in Qualcomm that were fixed in this month's release could allow malicious applications to execute code and brick the targeted device, or give those applications local access to elevated capabilities they shouldn't have.
Recently, researchers from Duo Labs disclosed details of a flaw in Qualcomm's Secure Execution Environment related to the Android Mediaserver component. The bug, which was patched in January's monthly update, affected all versions of Android including the latest Marshmallow. Affected hardware included Qualcomm Snapdragon series chip sets found in Samsung's Galaxy S5 and S6, Motorola's Droid Turbo, and Google's Nexus phones. Duo Labs estimated that about 60 percent of Android devices are vulnerable, but it's difficult to tell how many devices have received the update.
The 27 percent of Android devices considered too old to receive any monthly updates would be permanently vulnerable, Duo said.
FireEye disclosed another Qualcomm flaw last month, which was brought into Android in 2011 when Qualcomm contributed an API for the network_manager system service to the Android Open Source Project (AOSP). While a patch is available, it's another fix that non-Nexus owners have yet to see land on their devices.
The Android security model can't keep going like this for much longer. The Stagefright flaw disclosed nearly a year ago was extremely serious, as it could be used to attack anyone remotely simply by knowing the phone number. That was supposed to be a wakeup call, with manufacturers pledging to provide regular updates. That hasn't worked out well the past year. It's luck so far that there hasn't been any real attacks targeting Stagefright yet.
So far, the third-party issues require a malicious app to trigger the vulnerabilities, but considering 1 in 200 phones have a potentially harmful application, that scenario is not so far-fetched. It's looking more and more likely that the update situation on Android devices will not improve until there is an actual widespread attack against the hordes of unpatched users.