Skip to main content

The Android Security Bulletin for June 2016 is live - here is what you need to know

Google has released the lastest monthly Android security update, with full details and new software available. The new Security Patch Level date is June 1, 2016, and changes to the Android Open Source Project should be finished and published within 48 hours. Google also tells us that partners have had access to the warnings in this month's bulletin since May 2 or earlier.

Google says that there have been zero reports of any devices actively exploited by these vulnerabilities.

This month brings patches for 21 security vulnerabilities, ranging in severity from critical to moderate. According to Google, the most severe issue is "a critical security vulnerability that could enable remote code execution on an affected device through multiple methods such as email, web browsing, and MMS when processing media files." It appears that the Stagefright library continues to be a popular focus for security researchers as well as Google's security team, which makes splitting the media server out of the OS layer and updating separately in Android N even more important.

Google also stresses (as it does each month) that there have been zero reports of any devices actively exploited by these vulnerabilities, and that platform-level security protections and service protections like SafetyNet make the risk of actually being affected quite low.

A quick summary:

  • Exploitation for many issues on Android is made more difficult by enhancements in newer versions of the Android platform. We encourage all users to update to the latest version of Android where possible.
  • The Android Security team actively monitors for abuse with ​ Verify Apps and SafetyNet​, which are designed to warn users about ​Potentially Harmful Applications​. Verify Apps is enabled by default on devices with Google Mobile Services​, and is especially important for users who install applications from outside of Google Play. Device rooting tools are prohibited within Google Play, but Verify Apps warns users when they attempt to install a detected rooting application—no matter where it comes from. Additionally, Verify Apps attempts to identify and block installation of known malicious applications that exploit a privilege escalation vulnerability. If such an application has already been installed, Verify Apps will notify the user and attempt to remove the detected application.
  • As appropriate, Google Hangouts and Messenger applications do not automatically pass media to processes such as mediaserver.

Full details of all the issues address can be found at the security bulletin site.

There is no word on when to expect the patch for any other Android-powered device, but current Nexus devices, Android One phones and the Pixel C have an update pushing out over-the-air starting today, and it should be rolled out to all devices in due time. If you're the impatient type (and if so, why aren't you running the Android N Beta?) you can flash the factory images posted at Google's Developer site.

Jerry Hildenbrand
Jerry Hildenbrand

Jerry is an amateur woodworker and struggling shade tree mechanic. There's nothing he can't take apart, but many things he can't reassemble. You'll find him writing and speaking his loud opinion on Android Central and occasionally on Twitter.

18 Comments
  • I'll be interested to see how build MCT19V behaves on my 6P, after the mess that was MCT19T. Hopefully, the issues of audio playback of my music on Play Music (intermittent starts and stops) via headset have been addressed, as well as the muting or outright ending of voice calls, and the seriously annoying triggering of Google Now while I play my music library, as well. Posted via the Android Central App
  • Come on Sammy and T-Mo... keep it up and release this for the S7 variants this week. You can do it!
  • My fingers are crossed. I love it when Samsung goes whole hog and does the right thing. Wish they did the same for older and budget models though.
  • Are security patches made available for the N Beta? This is my first month on N. Posted via the Android Central App
  • Yeah I'd like to know this too? Posted via the Android Central App
  • The next DP release dp4 should include the new android security patch hopefully sometime mid month. Posted via the Android Central App
  • None of these patches apply for Android N.
  • It will be included in the next N update which should be out this Wednesday
  • As soon as I get home tonight I will update my devices.
    I see we have 2 updates for Nexus 6 (MMB30J & M)
  • For Android N ?
  • #T-mobile or #SamsungUpdates has yet to release any of the security updates for the Galaxy Note 4 Posted via the Android Central App
  • Well,these have been available since may 2cd to partners.Being on Verizon,I'm thinking August at best,maybe September.I'm going to test drive tmobile's 3 week tourist pass on a backup phone for my area and a few weekend trips when it goes live on the 12th.Just about had enough with a few key issues such as this on a network that has great coverage for me and mine. Posted via the Android Central App
  • Still waiting for my may patch on my Nexus 10. Posted via the Android Central App
  • N preview 4 should be out in 2 days Posted via the Android Central App
  • Already have the June 1 update on my PRIV.
  • I love this approach keep update it every month to make our phone more secure. But android fragmentation is too big. Old devices will be dead, no update to higher version and security update, especially for low end devices. :(
  • My galaxy S7 Edge was hacked. The hacker was zapping pictures with the front camera, typing on the message app using gesture typing,. I saw the lookout app got launched. I tried to shut off the phone but the power off and restart buttons were disabled. The day after, con artists called me and the phone answered the call automatically even though the phone is not set up to answer calls automatically. Nobody could tell me how the hacker hacked my phone since I think my limited apps are supposed to be safe.
  • I call bs. Posted via the Android Central App