Fixing the latest bugs and exploits in Android every month.

Google has detailed the latest Android Security Bulletin and released the fixes for Nexus and Pixel devices.

These are exploits and other security concerns that affect Android as a whole. Issues with the operating system, kernel patches, and driver updates may not affect any particular device, but these need to be fixed in the Android base by the folks maintaining the operating system code. That means Google, and they've detailed the things they have improved for this month.

Updated factory images for Pixel and Nexus devices that are supported are available, and over-the-air updates are rolling out to users. If you don't want to wait, you can download and flash the factory image or OTA update file manually, and here are some handy instructions to get you started.

How to manually update your Nexus or Pixel

The company who made your phone uses these patches to send an update out to you.

These changes have been released to the people making Android phones for at least 30 days, but Google can't force anyone to deliver them to you. If you're using a phone from Samsung, LG, or anyone besides Google, you'll need to wait for them to send an update and shouldn't try to flash any of the above files.

Of course, Google has safety checks in place to prevent any problems on your phone because of any security exploits. Verify Apps and SafetyNet are at work anytime you add an app to your phone, and seamless updates to Google Play Services will keep them up to date regardless of any hold-up from a manufacturer or carrier. Details and incident numbers can be found in the yearly Android Security Review (.pdf file).

Highlights for June 2017

June 2017's update comes with two patch dates: 06/01/2017 and 06/05/2017.

  • Google Pixel devices for the Canadian carrier Rogers will get a hotfix for VoLTE issues in addition to security updates.
  • Qualcomm has patched a slew of device drivers for the Snapdragon platform. Most were of moderate severity but a Bluetooth-specific update is a critical patch.
  • NVIDIA, MediaTek, and Synaptics have also supplied patched device drivers for a range of issues rated from low to moderate. Any of these binaries that are applicable to Nexus or Pixel devices are available at the Google Developer site.
  • Exploits that allow remote code execution while viewing media in email, SMS or the browser continue to be addressed as new ones arise. This is a never-ending fight and a reason why monthly patches are important.

If you get an update with a patch date of 05/05/2017, you also have every issue addressed by the 05/01/2017 update in place.

Previous bulletin highlights

Here are summaries and highlights of recent patches from the monthly Android Security Bulletin. As with the current bulletin, these issues were also mitigated by Google's Verify Apps, Safety Net, and seamless updates to Google Play Services.

May 2017

May 2017's update comes with two patch dates: 05/01/2017 and 05/05/2017.

  • Qualcomm has patched an exploit that potentially could allow unauthorized bootloader access for devices using Snapdragon 800 series processors. Motorola has issued a separate update to address the Nexus 6.
  • A specific vulnerability in GIFLIB that can cause memory corruption when a bad file is received has been isolated and patched. This patch applies to Android 4.4 or higher and has been merged into AOSP.
  • Qualcomm, NVIDIA and MediaTek continue to address exploits that affect their "drivers" and have again refined the code for May 2017. Any of these binaries that are applicable to Nexus or Pixel devices are available at the Google Developer site.
  • Several moderate exploits in the Bluetooth stack that could allow a user to receive a file without explicit permission have been addressed. Patches have been merged into AOSP back to Android 4.4.

If you get an update with a patch date of 05/05/2017, you also have every issue addressed by the 05/01/2017 update in plac

April 2017

April 2017's update comes with two patch dates: 04/01/2017 and 04/05/2017.

  • MediaServer is once again the focus of patches for potentially critical exploits. Six possible ways a media file can cause memory corruption during decoding and playing have been patched in all supported devices from Google. Changes have been merged into AOSP as far back as Android 4.4.
  • A potential exploit in the Factory Reset process has been found and fixed for all supported Google devices and changes were merged into AOSP in 4.4 and above.
  • Updated firmware binaries to address hardware-specific vulnerabilities were received from Broadcom, HTC, NVIDIA, Qualcomm, and MediaTek. Any of these binaries that are applicable to Nexus or Pixel devices are available at the Google Developer site.
  • A number of important updates and patches for the Linux kernel have been found, applied and merged upstream.

If you get an update with a patch date of 04/05/2017, you also have every issue addressed by the 04/01/2017 update in place.

March 2017

March 2017's update comes with two patch dates: 03/01/2017 and 03/05/2017.

  • A remote code execution vulnerability in OpenSSL and BoringSSL was patched. This exploit could allow a specially built file to corrupt files stored in memory and potentially could allow remote code execution. All Android devices (everything else that connects to the internet as well) are vulnerable. Google has built patches for Android versions 4.4.4 through 7.1.1.
  • An elevation of privilege vulnerability in the recovery verifier that could enable kernel access to a local app has been patched. As above, this is a critical patch for all devices and Google provides a fix in AOSP for versions 4.4.4 to 7.1.1.
  • The AOSP Messaging app has been further patched to address a vulnerability that could enable another app to bypass Android's system-level protections and see data it shouldn't be able to access.
  • Updated firmware binaries to address hardware-specific vulnerabilities were received from Broadcom, HTC, NVIDIA, Qualcomm, Realtek, Synaptics and Google themselves for the ION subsystem. Any of these binaries that are applicable to Nexus or Pixel devices are available at the Google Developer site.

If you get an update with a patch date of 03/05/2017, you also have every issue addressed by the 03/01/2017 update in place.

February 2017

February 2017's update comes with two patch dates: 02/01/2017 and 02/05/2017.

  • Qualcomm and MediaTek have issued updates that prevent a malicious app from gaining elevated privileges by executing code in the kernel space. The code for these patches is not publicly available, but updated binary files are available at the Google Developer site. Devices running Android 7.0 or higher were not affected.
  • The AOSP Messaging and Mail apps have been patched to address a vulnerability that could enable another app to bypass Android's system-level protections and see data it shouldn't be able to access.
  • The Bionic DNS function (Bionic is Android's standard C library) has been patched to prevent a specific Denial of Service attack that would cause a device to freeze or reboot.
  • Updated firmware binaries to address hardware-specific vulnerabilities were received from Broadcom, HTC, NVIDIA, Qualcomm, Realtek, and Synaptics. Any of these binaries that are applicable to Nexus or Pixel devices are available at the Google Developer site.

If you get an update with a patch date of 02/05/2017, you also have every issue addressed by the 02/01/2017 update in place.

January 2017

January 2017's update comes with two patch dates: 01/01/2017 and 01/05/2017.

  • Qualcomm has fully patched the various exploits that were collectively called quadrooter. All phones with a patch date of 01/05/16 or later are patched. Qualcomm additionally assisted in patching less severe exploits in the camera and bootloader of some phones.
  • The multimedia server and support drivers for audio and video components continue to be updated to prevent exploits such as last year's Stagefright issues. Google made a promise to continuously monitor and patch the multimedia system to prevent a repeat and have so far delivered on it.

If you get an update with a patch date of 01/05/2017, you also have every issue addressed by the 01/01/2017 update in place.


Archives of all previous Android Security Bulletins are available at the Android Security website.

See the Android Security website for details on all bulletins