Google fixed a critical security flaw for Pixels, but other Android phones were left hanging

Android 15 logo on Pixel 8
(Image credit: Harish Jonnalagadda / Android Central)

What you need to know

  • Google patched a serious security issue for Pixel devices with the release of the June Pixel Feature Drop last week.
  • Though the flaw affects more Android devices, non-Pixel devices will have to wait for Android 15.
  • This decision leaves Android devices vulnerable to an actively-exploited flaw for months.

Last week, Google finally addressed a critical security flaw that researchers and security advocates have been raising awareness of since April. The problem? Google included the fix in the June Pixel Feature Drop, and other Android phones aren't able to receive the update. BleepingComputer first reported the patch, and the team at GrapheneOS — who first reported the vulnerability — confirmed that non-Pixel devices will need to wait for Android 15 to get a fix.

Google patched 50 security vulnerabilities in the Android 14 QPR3 update for Pixels. However, one stands out because it is a zero-day vulnerability. This means that the flaw was actively exploited in the wild before Google became aware of it. Zero-day security vulnerabilities are the most severe, and thus, Google recommends that all Pixel users apply the June update as soon as possible. 

The company shared this information on the Pixel Update Bulletin, which is where Google provides updates on security problems affecting Pixel devices or Android. "There are indications that CVE-2024-32896 may be under limited, targeted exploitation," the company explains. According to GrapheneOS, the actively-exploited CVE-2024-32896 refers to the same exploit that was previously reported as CVE-2024-29748. The new identifier represents the Pixel-exclusive fix that was included in the June update. 

The issue is an elevation of privilege (EoP) problem with Android firmware that Google referred to as of "high severity" for Pixels. 

"It was exploited by forensics companies against users with apps like Wasted and Sentry trying to wipe the device when detecting an attack," the GrapheneOS team explained. "We addressed it as part of making our duress PIN/password feature and reported it to get Google to fix it across Android, which is now done." 

The developers add that two core problems are making the exploit possible. The first is system memory not being erased when entering fast boot mode, meaning that it's possible for an exploit to access older system memory. A separate but related issue centers around the Android Open Source Project device admin API needing reboot-to-recovery to erase — though this has been fixed in Android 14 QPR3.

The first problem was previously fixed on Pixels, and the second was fixed in the June Pixel Feature Drop. However, as we've mentioned, Pixel phones and tablets are the only ones that receive the fix. That's because of the way that Android OEMs release software updates and fixes, and it isn't entirely Google's fault. 

Why other Android phones aren't getting a fix

Samsung Galaxy S24 Plus

(Image credit: Nicholas Sutrich / Android Central)

Considering that this issue was actively exploited and has a high severity, you're probably wondering why other Android devices aren't getting a fix. After all, Google is advising Pixel users to update their devices ASAP to protect themselves. The truth is that Google has done its part, and it's up to the other OEMs to implement a fix. The company included the patch in Android 14 QPR3, and any device that receives the Android 14 QPR3 update will get it. 

Fixes like this one are often added to the Android Open Source Project, or AOSP, which serves as the basis for other versions of Android. An operating system like Samsung's One UI or OnePlus' OxygenOS uses AOSP as the groundwork. The issue is that third-party operating systems usually apply AOSP upgrades yearly. So, Samsung will likely use the AOSP version of Android 15 as the basis for One UI 7. However, a future version of Android 15 QPR2 or Android 15 QPR3 wouldn't impact Samsung Galaxy devices until One UI 8. 

In other words, the reason Google Pixel devices are the only ones to get this patch are because they're the only ones to receive monthly, quarterly, and yearly updates. Theoretically, a company could take the fix included in Android 14 QPR3 and apply it to their phones. However, since other OEMs don't do quarterly updates, the security patches included in Android 14 QPR3 won't hit their devices until Android 15. 

Some security patches are seeded to older versions of Android through a process called backporting. This doesn't happen for every patch, though. Google probably should have backported the fix for this security flaw, keeping in mind the severity and its zero-day status. However, it's not necessarily Google's responsibility to do so. Additionally, only half of the security issues are related to AOSP. No one can solve the first issue described above except each manufacturer itself. 

This is the latest example of how choosing an Android phone from a brand other than Google can put a user at a security risk. Other brands are too slow to respond to critical zero-day flaws with patches, and it's a real problem. Sometimes, the blame lies with Google and others with the partner OEMs, and it's often a mix of both. Either way, the users suffer.

Brady Snyder
Contributor

Brady is a tech journalist for Android Central, with a focus on news, phones, tablets, audio, wearables, and software. He has spent the last three years reporting and commenting on all things related to consumer technology for various publications. Brady graduated from St. John's University with a bachelor's degree in journalism. His work has been published in XDA, Android Police, Tech Advisor, iMore, Screen Rant, and Android Headlines. When he isn't experimenting with the latest tech, you can find Brady running or watching Big East basketball.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Read more
A statue of the multicolored "G" in Google on the Google campus in Mountain View
Google warns Android users of a zero-day software exploit causing instability
Google Pixel 9 Pro and Pixel 9 Pro XL angled view
Google's crucial February security patch for Pixels is here among other updates
Pixel 9 Pro XL back view against colorful background
Google rolls out a quick March security patch to join its big Pixel update
The Android sign
Here's why Google is finally making big changes to Android updates in 2025
Google Pixel 10 Pro renders
News Weekly: Massive Pixel 10 leak, March update chaos, OnePlus ditching its Alert Slider, and more
Google Pixel 9 Pro in hand
Several Google Pixel series are struggling with major issues after March patch
Latest in Apps & Software
The promotional image for Google Workspace feature drops.
The March Workspace feature drop upgrades Gemini's note-taking and translation tools
Google discusses trends and AI updates to help people travel this summer.
Google prepares you for a hot summer with new AI updates for traveling
YouTube Music home screen
YouTube Music's personalized radio stations are getting even smarter
Samsung Galaxy S25 Ultra Home Screen - 16x9
Heads up — Samsung's detailed One UI 7 rollout schedule for Galaxy appears
The old Android logo at Google's Pier 57 building in New York City
Report claims Google may move to 'privately' develop Android's future
Comparing the display size on the Samsung Galaxy S25 with the Samsung Galaxy S25 Plus
What you need to know about One UI 7: Software is hard
Latest in News
The promotional image for Google Workspace feature drops.
The March Workspace feature drop upgrades Gemini's note-taking and translation tools
The Samsung Galaxy S25 Edge on display
New leak shows off Samsung Galaxy S25 Edge in 'Titanium' variants
Google discusses trends and AI updates to help people travel this summer.
Google prepares you for a hot summer with new AI updates for traveling
YouTube Music home screen
YouTube Music's personalized radio stations are getting even smarter
The back of the Obsidian Google Pixel 9 Pro
Some Pixel owners had a delayed start, thanks to alarm clock failures
Samsung Galaxy S25 Ultra Home Screen - 16x9
Heads up — Samsung's detailed One UI 7 rollout schedule for Galaxy appears