Google wants Android manufacturers to implement patches more quickly to end users

Google believes that there is a gap between different companies that build an Android device together. As a result, patches would not be implemented quickly enough. The American company calls for patches to be delivered to end users more quickly.

According to Google There were a number of cases last year where a supplier (of a chip, for example) had released a patch for a vulnerability and Android manufacturers subsequently failed to quickly distribute this patch to the end users of their devices. This allows n-days, vulnerabilities for which a patch already exists, to act as a zero-day, a vulnerability for which no patch exists yet.

The company cites a vulnerability in Arms Mali GPU, discovered last year, as an example. This vulnerability was reported in July 2022 and Arm released a patch in October. However, it took until April 2023 before the patch was actually distributed to end users. According to Google, gaps like these are not unusual, but they are said to be more common and last longer among suppliers and manufacturers of Android devices. The company therefore calls on suppliers and manufacturers to implement patches and bug fixes more quickly to end-user devices.

Google also writes in the report that 41 zero days were discovered last year. That is 28 fewer than in 2021. The American company also reports that seventeen of the 41 discovered zero-days can be labeled as variants of already discovered vulnerabilities. According to Google, there was also an increase in the number of bug collisions. That term is used when multiple people report the same vulnerability or bug. According to Google, this is good news. According to the company, this would mean that the number of zero-days that are actively used will decrease.