Google's Pixel phones are flying from shelves, with Black Friday deals enticing even more shoppers to upgrade an older Pixel or switch from another Android or even an iPhone. And unlike Samsungs, Pixels also have exciting new Android 15 security upgrades, now generating increasing excitement across the market. But whether it's a new or old device, you need to make sure you update it before November 28.
With all the holiday season activity, it's easy to forget that Google started November warning that Android devices were under attack and issuing an urgent fix. If that's not enough, this month's Android security update also includes a fix for a Qualcomm vulnerability that's also under attack, this one delayed from October.
Both these vulnerabilities prompted the US cybersecurity agency to mandate all federal employees to update their phones or power them down. The imminent deadline to do so is November 28, and while CISA's mandate is just for government staff, its warnings apply much more widely, and are published to help "every organization better manage vulnerabilities and keep pace with threat activity."
Google says that CVE-2024-43093, a vulnerability in the core Google Play system framework that underpins much of the app infrastructure on devices, opens devices to attack through what is described "as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to 'Android/data,' 'Android/obb, and 'Android/sandbox' directories and its sub-directories."
It's now becoming ever clearer that this vulnerability has introduced serious exposure to external storage on phones, with the risk that sensitive data can be stolen from phones, and so it is imperative all users update as soon as possible.
Meanwhile, October's CVE-2024-43047 prompted Qualcomm to urge Android OEMs to deploy patches "on released devices as soon as possible," given "indications from Google Threat Analysis Group that it may be under limited, targeted exploitation." Pixels are lucky here, they will receive the patch when they apply November's update. This prompted an October CISA mandate missed by all. Unlike Pixels, it wasn't included in Samsung's November release, and is being deployed more slowly.
Pixels are currently out on their own as the only Android devices with the latest security innovations, at least those that upgraded to Android 15. Live threat detection, where device-based AI flags malicious behavior locally and scam call monitoring have come first to Pixels. Add these to Samsung's ongoing Android 15/One UI 7 delays, and this is a good time to be on Google's side of the fence.
Meanwhile, enssure November's update has installed. Two zero-days plus a raft of other fixes, make it critical you update now and don't miss the deadline.