Google confirms Android attacks; no fix for most Samsung users

Original Article ↗ Hacker News Discussion ↗

GrapheneOS and Patch Timing

  • Commenters note GrapheneOS had already patched the relevant CVEs months earlier on its security preview channel (September/October), ahead of Google’s public Pixel rollout.
  • This is used to argue that even a small team can ship Android security fixes quickly if they prioritize it.

Pixel and Samsung Update Delays

  • Several Pixel owners report not seeing the “rushed” December update, needing tricks like double-tapping “Check for update” or manually sideloading OTA images. Carriers (e.g., T‑Mobile) are blamed for lag in approvals.
  • Samsung is criticized for not even having November patches on many devices, with only major flagships current. Some see this as effectively reserving security for higher-end buyers.

OEM Fragmentation vs. Responsibility

  • One side argues Samsung’s many models and heavy Android customization make fast patching difficult; each variant is almost its own OS.
  • Others counter this is self‑inflicted: if you ship 50 models, you must budget to maintain 50; PC and Linux ecosystems manage far more hardware.
  • Closed, non-upstreamed drivers are identified as a core cause of slow updates and poor long-term support.

Threat Model and Exploit Details

  • Linked CVEs describe local privilege escalation (e.g., adding a device owner post‑provisioning, launching activities from the background) and at least one critical Dolby audio RCE.
  • Many say risk is mainly from malicious or compromised apps rather than web content; if you don’t install “crap,” risk is lower but not zero, because trusted apps can be updated with payloads or embed shady ad SDKs.
  • Some think the focus on this bug is overblown relative to more common phishing/scam attacks; others stress that modern RCE often leads to quiet botnet/“residential VPN” enrollment, not obvious malware.

Sideloading, Play Store, and Play Integrity

  • Debate over whether this specific attack realistically requires sideloaded APKs; unclear from public info.
  • Google’s app scanning and store review are called “security theater” compared to curated repos (e.g., F‑Droid, Linux distros).
  • Play Integrity is widely criticized as serving Google’s business interests rather than user security, since very old unpatched devices can still pass.

Custom ROMs, Unlocking, and Device Longevity

  • Strong sentiment that users should have a legal right to unlock bootloaders and install alternate OSes (GrapheneOS, LineageOS), especially once vendor support ends.
  • LineageOS’s support for hundreds of devices is cited to show that multi‑device security maintenance is feasible.
  • Banking apps and contactless payments on custom ROMs are described as a cat‑and‑mouse game, though some report success with specific banks and wearable‑based payments.

Samsung and UX / Ecosystem Critique

  • Samsung is characterized by several as “user hostile”: aggressive bloatware, nagging, fragmented companion apps, and artificially limited features (e.g., watch features tied to Samsung phones).
  • Others still choose Samsung for unique hardware (stylus devices) or price, despite poor update discipline.

Meta: OS Monoculture and Fuchsia Tangent

  • Frustration that mainstream users effectively have only two mobile OS choices; some lament limited flagship options in the US versus Asia.
  • A substantial side thread digresses into the spelling, pronunciation, and etymology of “Fuchsia,” lightly mocking Google’s naming and English orthography.