The Android April 2 security patch is live - here are the details you need to know

Google has released the details surrounding the April 2 security patch for Android, completely mitigating issues described in a bulletin several weeks ago as well as a slew or other critical and moderate issues. This one is a bit different from previous bulletins, with special attention paid to a privilege escalation vulnerability in versions 3.4, 3.10 and 3.14 of the Linux kernel used in Android. We'll discuss that further down the page. In the meantime, here's the breakdown of what you need to know about this month's patch.

Updated firmware images are now available for currently supported Nexus devices on the Google Developer site. The Android Open Source Project has these changes rolling out to the relevant branches now, and everything will be complete and synchronized within 48 hours. Over the air updates are in progress for currently supported Nexus phones and tablets, and will follow the standard Google rollout procedure — it may take a week or two to get to your Nexus. All partners — that means the people who built your phone, regardless of brand — have had access to these fixes as of March 16 2016, and they will announce and patch devices on their own individual schedules.

The most severe issue addressed is a vulnerability that could allow remote code execution when processing media files. These files can be sent to your phone by any means — email, web browsing MMS or instant messaging. Other critical issues patched are specific to the DHCP client, Qualcomm's Performance Module and RF driver. These exploits could allow code to run that permanently compromises the device firmware, forcing the end user to need to re-flash the full operating system — if "platform and service mitigations are disabled for development proposes." That's security-nerd speak for allowing apps from unknown sources to be installed and/or allowing OEM unlocking.

Other vulnerabilities patched also include methods to bypass Factory Reset Protection, issues that could be exploited to allow denial of service attacks, and issues that allow code execution on devices with root. IT professionals will be happy to also see mail and ActiveSync issues that could allow access to "sensitive" information patched in this update.

As always, Google also reminds us that there have been no reports of users being affected by these issues, and they have a recommended procedure to help prevent devices from falling victim to these and future issues:

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team is actively monitoring for abuse with Verify Apps and SafetyNet, which will warn the user about detected potentially harmful applications about to be installed. Device rooting tools are prohibited within Google Play. To protect users who install applications from outside of Google Play, Verify Apps is enabled by default and will warn users about known rooting applications. Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove any such applications.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Regarding issues mentioned in the previous bulletin

Nexus update

On March 18, 2016 Google issued a separate supplemental security bulletin about issues in the Linux kernel used on many Android phones and tablets. It was demonstrated that an exploit in versions 3.4, 3.10 and 3.14 of the Linux kernel used in Android allowed devices to be permanently compromised — rooted, in other words — and affected phones and other devices would require a re-flash of the operating system to recover. Because an application was able to demonstrate this exploit, a mid-month bulletin was released. Google also mentioned that Nexus devices would receive a patch "within a few days." That patch never materialized, and Google makes no mention of why in the latest security bulletin.

The issue — CVE-2015-1805 — has been patched completely in the April 2, 2016 security update. AOSP branches for Android versions 4.4.4, 5.0.2, 5.1.1, 6.0, and 6.0.1 have received this patch, and the rollout to the source is in progress.

Google also mentions that devices that may have received a patch dated April 1, 2016 have not been patched against this particular exploit, and only Android devices with a patch level dated April 2, 2016 or later are current.

The update sent to the Verizon Galaxy S6 and Galaxy S6 edge is dated April 2, 2016 and does contain these fixes.

The update sent to the T-Mobile Galaxy S7 and Galaxy S7 edge is dated April 2, 2016 and does contain these fixes.

Build AAE298 for unlocked BlackBerry Priv phones is dated April 2, 2016 and does contain these fixes. It was released in late March, 2016.

Phones running a 3.18 kernel version are unaffected by this particular issue, but still require the patches for other issues addressed in the April 2, 2016 patch.

Jerry Hildenbrand
Senior Editor — Google Ecosystem

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

  • Literally just downloaded this 20 minutes ago on my T-Mobile Galaxy S7. Does read April 2. Funny I saw the story T-Mobile was pushing an update, checked my phone and it was there. Easy peasy Posted via the Android Central App and my Galaxy S7
  • Don't get used to it. They are hyper supporting the S7 right now because it's the hot new phone. Give it a few months. You will be soo behind on security and OS updates. Nothing is different for Samsung outside of wanting to sell as many phones as possible right now. They want potential buyers to be like "oh, wow, Samsung soon top of it" - I'm buying an S7! Nah. Flash in the pan to generate early sales. Support will slow to a typical Samsung pace which is glacial.
  • But they updated the S6 for Verizon already, too. I complain about Samsung not staying current because i want them to do better for the people using their phones. They have done better for April. I hope they do even better for May. No sense in not giving them credit for a job well done, unless your goal is to just hate on them as a company.
  • Yep, my S6 was updated on 4/1/16 a pleasant surprise and the April update to boot.
  • True. Just looking at my Note 5. In no way up to date. Perhaps they are the new "Nexus speed company," but I'm doubtful. They have a long history they need to overcome. We shall see if they are able to deliver 12 incremental updates per year along with OS patches/new versions. Yeesh. Let's see.
  • I absolutely agree. We can't be hitting Samsung on not updating and then not give them credit where credit is due. This is excellent progress and support that I hope continues. Posted via the Android Central App
  • I agree as well. But it's like the terrible employee that does something great once. Everyone is hopeful but very skeptical at the same time. History cannot be erased.
  • Haha...good analogy. Consistency is what I want to see from them in 2016. I don't even care if they're not the first most times out, as long as it's timely and consistent. I was a happy camper this morning. Posted via the Android Central App
  • You think samsung is bad try Motorola. Was 6 months behind on my droid razor. Have had more updates on my s6 that Motorola ever did
  • I believe this is the first time I've seen any of the Samsung Galaxy devices getting the update as soon as the patch goes live. Certainly a refreshing sight.
  • It is. And I couldn't be happier. :) Samsung (for many people) is the face of Android. I love knowing they are starting to step things up.
  • Still rocking the Nexus 6P wallpaper on your S7e, though, right? Posted via S7 edge
  • of course :)
  • Still on January in the LG G4. :/ Oh well, it's gonna be sold anyway. Though I'll probably check soon. It hasn't notified me of anything new,
  • I'm happy to see it as well.Now,Verizon just needs to push the updates past their link in the chain. Posted via the Android Central App
  • This is important. We can be pretty sure that the S7 patch was sent to all the carriers, not Just T-Mobile. Same with the S6 — it didn't just get built for Verizon. Now we can know who to blame for delays on those two models.
  • Yes,although I actually never had any doubt who was to blame as I'm sure you and most folks here didn't.Thanks Posted via the Android Central App
  • +1 Posted via the Android Central App
  • I wonder how many weeks it will be before Google makes it available as an OTA update for this 6p that I bought from them. Sad that the S7 has it before the Nexus and yet very encouraging at the same time. I hope Samsung keeps it up! Posted via the Android Central App
  • I'm a 6P owner and I have not even recieved the March patch yet...
  • Different method of end-user testing. Google stays very cautious and slowly releases an OTA in batches, then monitors user feedback. Samsung (in this case) went with the shotgun method and let carriers roll with it. Not sure which I like better, to be honest lol.
  • I still haven't received the March 18 patch. I prefer quick updates tbh. Perhaps it should be something Google let's you opt into. Posted via the Android Central App
  • No one has they folded It in here, right jerry? Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
  • According to the article it never materialized in a large-scale rollout. It's been incorporated here as noted by another responder.
  • The best brand is motorola actually.... With every update, they would break something in your phone. It could either be your camera roll images being deleted or the problem of ghost touch being faced by numbers of consumers but still not doing anything..... Motorola is the best (hehe) Posted via the Android Central App
  • Moto is pretty good, but my pure is still stuck on February... Posted via the Android Central App
  • I haven't had any of those issues on my spare moto x pure,but as another commenter stated,still on February update. Posted via the Android Central App But then again,so is my shiny,new S7edge on VERIZON.
  • Don't have it for my N6 yet Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
  • I using get it around the 10th of every month. Posted via Nexus 6 running on any data plan I want
  • It's out, I just downloaded it
  • I never seem to get it using AT&T network. I tend to have to reflash the phone to update.
  • I'm curious to know what I should do regarding OTA. My device is rooted. Alcatel mpcs lollipop 5.1.1..
  • Kind of ironic that you are rooted and care about security updates. Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
  • Good point Posted via Nexus 6 running on any data plan I want
  • Moto X Force and stuck on December. Posted via the Android Central App
  • Yeahhhhhhhhh Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
  • Any word on the security patch and update for the Android N preview for April? Posted via my Nexus 5X on T-Mobile
  • Are these "security updates" only "security" updates, or do they push out non-security related bug fixes as well? The reason I ask is that I am waiting on a bug fix for my N5 that has been confirmed fixed by Goog but not yet pushed out. Wondering if should get my hopes up that one of these updates will fix it or if I have to wait until 6.x.x
  • If you mean the Nexus5X than you're waiting for the March 1st patch (check on Settings->About Phone), which includes security and some big fixes (I got it and the whole thing runs much smoother), all the others patches are security only. If you meant Note 5, I don't know, ask Samsung. Posted via the Android Central App
  • Any new features or other bug fixes? Security updates don't give me the motivation to bother unrooting and going through the update process...
  • That's fine and dandy. But if you get infected, don't complain.
  • Yep Posted from my Nexus 6/Nexus 7 2013/Surface Pro 3
  • Infected with what, seriously, more scare tactics by these OEMs. The chances of getting infected are slim to none. Posted via the Android Central App
  • That's true. But all it takes is "one" time. I downloaded an app from the play store once, a game. Can't remember what game but it wreaked havok on my lg g3. To this day, i do not play games on my phone.
  • Updated my Nexus 6.
    Waiting for the image forNexus 9 Wi-Fi
  • I know I'll never get it. Great stuff Posted from my Droid Turbo
  • Wow! I just got the 6.0.1 and april 2 security patch 2 days ago on my S6 edge. Samsung is improving on how fast they update their device! Posted with ❤LOVE❤
  • When is note 5 security patch coming, no update since December 2015, feeling insecure might be compromised.
  • Got the update just last week on my s5 active.. glad 2 get it. Late or not!
  • Curious if I'll EVER get marshmallow...
  • Please some one tell me where security patch is located ?
    i mean in what section of firmware ? Sboot , modem or system ?