All Android phone owners who missed the October deadline: you need to update now

Android warning affects millions of users.

AFP via Getty Images

There is a sting in this month’s tail Android security updatedetails of which were released this week. Google has confirmed that two vulnerabilities fixed in the release “may have limited and targeted exploitation.” Nothing particularly unpleasant, except that one of those threats, CVE-2024-43047 – that particular Qualcomm chipsets, prompted a US government warning with a mandate to update or stop affected Android phones by October 29. It is clearly impossible to do this.

ForbesGoogle’s update error: Do not change this new Play Store settingBy means of Zak Duffman

On October 8, the US government’s cybersecurity agency warned users about this “multiple Qualcomm chipsets contain a ‘use-after-free’ vulnerability due to memory corruption in DSP services while preserving HLOS memory maps,” requiring all federal employees to “apply remedial or mitigation measures according to the supplier’s instructions,” by October 29, “or discontinue use of the product if remedy or action is not available.”

As for these fixes, Qualcomm says it made fixes available to device OEMs in September and urged them to deploy these patches “to released devices as soon as possible.” While these patches are now part of the November Android release and will reach Pixels as they are updated, the story will vary for other OEMs. For example, Samsung has not yet confirmed this update, and it was missing from their own November security update released on the same day as Android’s.

Affected chipsets.

Qualcomm

Although CISA’s official mandate is according to the known exploited vulnerability (KEV) catalog applies only to federal personnel, the agency operates “for the benefit of the cybersecurity community and network defenders – and to help any organization better manage vulnerabilities and keep pace with threat activity… Organizations should use the KEV Catalog as input to their vulnerability management prioritization framework.” Therefore, employees of other public and private entities should also apply other updates as they become available. The first warning of the abuse came from Google’s Threat Analysis Group, which both suggests it is serious and likely involves spyware, a threat to businesses.

Smartphone users can see the affected chipsets above, and most users can compare your smartphone model with the affected chipsets here. All Android OEMs should release the update now that it’s available, although users will still depend on models, regions, carriers, and slot states to determine when it lands on their device. For all federal personnel with affected phones, the deadline has passed and you should make sure you get updated as soon as possible. For others, the same advice really applies. Do not leave devices unprotected longer than necessary, and until Are updated, by being wary of what you click, install and open.

ForbesGmail ‘suddenly’ stopped working: new warning because update failed, here’s what to doBy means of Zak Duffman

Another zero-day vulnerability has also been patched in the November Android versions: CVE-2024-43093. This was one from Google and affects the Google Play framework, which has been in the news this week for other reasons, ccausing chaos on certain Pixel phones and preventing apps from running. This patch did get it in Samsung’s November SMR and you can check your own OEM’s update details using the usual websites or listings on the device.

With two serious exploited vulnerabilities and the delayed deadline for the CISA update, this month’s release takes on a more serious note than usual. Update your phone as soon as possible.