Google doubles Android update to cope with rash of Qualcomm bugs

Google has released a monster 108 fixes in its Android security update for July, and has even split the update in two to due to flaws in the drivers of chips from Qualcomm, MediaTek, and NVIDIA.

The latest update is a little more complicated than others Google has issued since kicking off monthly updates a year ago. Until now, Android owners could tell how up-to-date their phones were by checking ‘About Phone’ in Settings to view the Android Security Patch Level. The screen would display the first day of the month that the patch was issued.

But for July, Google split this month’s update into two security patch levels: one for July 5, 2016 that covers devices with vulnerable drivers from Qualcomm, MediaTek, and NVIDIA and includes general Android fixes; and another for July 1, 2016 that guarantees to fix Android bugs, but may fix device-specific bugs.

Google split the update to help Android handset makers fix critical issues faster. Just under three-quarters of the bugs Google fixed were “device specific”, affecting drivers of certain chips that may be used one model, but not another. The update highlights the so-called fragmentation issues that Android has become known for.

“Devices that use the security patch level of July 5, 2016 or newer must include all applicable patches in this (and previous) security bulletins,” Google explains in its July bulletin.

“Devices that use the July 1, 2016 security patch level must include all issues associated with that security patch level, as well as fixes for all issues reported in previous security bulletins. Devices that use July 1, 2016 security patch level may also include a subset of fixes associated with the July 5, 2016 security patch level.”

The update puts a spotlight on how far Google is from matching Apple’s relatively smooth update process for iPhone owners. One measure of this can be seen in the adoption of the latest versions of iOS and Android; while 10 percent of Android devices run Google's latest version of Android, version 6.0 Marshmallow, 84 percent of iOS devices run Apple’s latest major release, iOS 9. Both were available within a month of each other.

There are two “critical” issues in Google’s July 1 patch level, which include seven distinct flaws affecting Android’s Mediaserver component. Mediaserver bugs have dominated critical bugs in Android since Google began monthly patching. Google has made the component more secure in the next version of Android, Nougat, by restricting system permissions.

The July 5 patch level covers seven “critical” issues spanning 12 vulnerabilities that affect drivers from Qualcomm, MediaTek, and NVIDIA.

The update includes fixes for dozens of high severity bugs in Qualcomm chips for Android devices and follows new evidence that Qualcomm’s implementation of ARM’s hardware security module could be broken to undermine encryption on Android devices.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags GoogleAppleAndroidqualcommnvidiaMediaTekiOS devicesDevice-specific bugsQualcomm bugs

More about AppleARMGoogleQualcomm

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts