FilterHN

Google Confirms Android Attacks-No Fix for Most Samsung Users

53 points

by mohi-kalantari

2 hours ago

| past

| 9 comments

| forbes.com

| HN

▲

charcircuit

1 hour ago

[-]

>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.

Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.

▲

kwanbix

26 minutes ago

[-]

The problem is that each OEM releases 50 different models per year, vs Google (or Apple) that release 3 or 4 models.

▲

shiandow

16 minutes ago

[-]

If that truly is an issue then Android is a fundamentally broken OS.

How many different models of PCs get released? How hard is it to patch any of their OSs?

▲

klooney

1 minute ago

[-]

The fix was released in September according to GrapheneOS, so you'd think they could have it out for the flagships

▲

jacquesm

7 minutes ago

[-]

And then you install that 'security patch' and end up with a borked phone, apps that no longer work, new apps that you didn't ask for and so on.

Give me just the security updates please.

▲

xnx

1 hour ago

[-]

No fix yet for Samsung. Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

▲

bigbadfeline

55 minutes ago

[-]

> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.

Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.

Provide a way to unlock the phones and a standard BSP, it should be the law.

▲

edoceo

14 minutes ago

[-]

Please try to e-recycle rather than normal land-fill trash.

▲

ChocolateGod

1 hour ago

[-]

I hoped with a move to Fuschia, Google would attempt to fix this, but unfortunately Fuschia on mobile is dead.

▲

shwaj

41 minutes ago

[-]

It’s “Fuchsia” with a “chs” not a “sch”. Where do you get your information that it’s dead?

▲

jcranmer

25 minutes ago

[-]

As Randall Munroe pointed out in https://blog.xkcd.com/2010/05/03/color-survey-results/, almost nobody knows how to spell "fuchsia" correctly. I only remember it by the mnemonic of it's fuck, but with an s.

▲

crazygringo

17 minutes ago

[-]

I vote to just change the spelling to what almost everyone already thinks it is anyways.

It'll still be just as weird. But "chs" is just nonsensical. The idea that it would sound like "sh" is baffling. I mean, I know this is English spelling which is not known for its regularity, but this is just too much.

▲

kelnos

1 hour ago

[-]

> This [update] was rushed out to all Pixel users.

Pixel 8 here, still don't have the update. That's... not great.

▲

nervysnail

49 minutes ago

[-]

I'd suggest you to use GrapheneOS.

▲

jeffbee

30 minutes ago

[-]

Just go to the software update, touch the button, then touch it a second time, and that will give you all available updates immediately, regardless of your random position in the rollout process.

▲

Terr_

14 minutes ago

[-]

Not working for me on Android 16, additional taps of the "Check for update" button in the bottom-right don't change the fact that it says "Your system is up to date" and that the last change was last month.

▲

jeffbee

6 minutes ago

[-]

Could be model-specific. I got the update by doing that manually on my Pixel 8 Pro, that also happens to be on the beta track so there are a few confounders. But that is the way to get the latest software that is waiting to be released to your phone, without waiting.

▲

baal80spam

1 hour ago

[-]

This requires user action, right? User needs to install the APK by hand? In other words - if I don't install any crap on my phone I am safe?

▲

bigbadfeline

40 minutes ago

[-]

> if I don't install any crap on my phone I am safe?

We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.

▲

Squeeze2664

1 hour ago

[-]

Is GrapheneOS affected?

▲

bramhaag

1 hour ago

[-]

GrapheneOS has patched this CVE back in September: https://grapheneos.social/@GrapheneOS/115647360248469626

▲

jackwilsdon

1 hour ago

[-]

From what I can tell, if you're running the latest security preview release[1] then it's already fixed: https://grapheneos.org/releases#2025120400

[1]: https://discuss.grapheneos.org/d/27068-grapheneos-security-p...

▲

rew0rk

1 hour ago

[-]

While the information leakage/disclosure is a big issue, It feels like its still a big jump to get users to install off-Play Store APKs?

▲

resist_futility

1 hour ago

[-]

nice list of vulnerabilities and source changes

https://source.android.com/docs/security/bulletin/2025-12-01

▲

baaron

1 hour ago

[-]

My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.

▲

domoregood

1 hour ago

[-]

https://archive.is/krzUC