Emergency security update coming to Nexus devices due to discovered exploit

by: Edgar CervantesMarch 19, 2016
856

Android-malware

The promise of monthly security updates is refreshing, but not even keeping devices that protected is enough sometimes. Google has just announced they are releasing a mid-month security patch due to the discovery of an exploit that could bring harm to some devices; namely, the Nexus 5 and Nexus 6.

Android 6.0 marshmallow logo DSC_0126See also: Android 6.0 Marshmallow updates roundup – March 22, 2016137

The issue arose after Google found out about a rooting application using an “unpatched local elevation of privilege vulnerability in the kernel”. What this means is that a malicious application would have the power to affect the code within the software. The only way to fix the handset then would be to re-flash the whole operating system.

nexus-6-first-impressions-19-of-21

GranitePhone interviewSee also: GranitePhone interview details the only way to make Android more secure9

It’s still a bit hard to be affected, though. Google does protect you from such apps in the Google Play Store, and even uses Verify Apps to keep external threats away. The only way to have been affected is if you were convinced to manually install the rooting app.

This advisory applies to all unpatched Android devices on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices. Android devices using Linux kernel version 3.18 or higher are not vulnerable.

There’s multiple layers of security, but if you are living on the wilder side you can rest assured the update is coming within a few days. Android partners have also been informed of the issue and the AOSP repository has been updated with the new information. So if you see a random update coming to your phone soon, it’s just Google watching over us.

  • Modman

    whoop dee doo. I’m running chroma. I get an update every month. so great not be afraid of rooting or at the mercy of phone carriers for updates. knowledge is power.

    • Robert Clark

      Root us good. Lil. Ran chroma. I went with pure Nexus. But I’m still flashing a few as I just got nexus 6. Lol. Note 5 kept me away from stock Android too long.

    • Joshua P.

      You know the nexus gets an update every month as well without using a custom ROM.

  • Modman

    even if it gets me I’d clean wipe with twrp and start over.

  • Modman

    unless it deletes recovery and wipes twrp I could just restore my last backup or clean wipe. rooting and learning to install custom ROMs has its privileges.

    • Matthew Beckett

      Dude. The example listed is an exploit being used by a rooting app. People with the end goal of rooting without doing it properly aren’t going to have the ability to use TWRP or they’d already have root.

  • Modman

    All that is true. I was just stating that the benefits of rooting and custom recovery allow me not to worry about it.

  • Hel Thanatos

    Key ring exploit?

  • East Honco

    I believe Galaxy Nexus, Nexus 4, Galaxy S3, Xperia Z, LG G2, and many other old phone will not be patched….

    • hp420

      they patched aosp…just update your repo source, run a new aosp build, and you have your patch.

    • rocketcat14

      Probably. Google has allowed OEM’s and carriers to modify too much, so Google cannot patch Android directly (this is the core issue here). It would be the same, that Microsoft would not be able to patch Windows OS’s – would people accept that? Still, it’s practice on phone world, never going to get updates, just sell-and-forget.

      Google should rewrite Android so, that direct patches could be distributed. OEM’s can add their own theming (like launcher apps etc.), but not modify core systems. Hardware manufacturers provide the drivers. Not should be hard, at 2100th century, updates should be no-brainer, doh.

      • Zzz73

        Google seemed to be moving that direction with Google Play Services update direct from the Play Store, but it seems like that has tapered off. I’m a hardcore Androider but some of their (Google’s) actions are hard to understand or defend. Android N is about to drop with just over 3% of services running M. c’mon Google…

        • rocketcat14

          I like the versatility of Android very much =) But at the same time I’m very disappointed to security patching difficulties. It should not be so laborious.

          I’m no programmer, but could it be that Android core vulnerabilities cannot be patched via Play store/services update? I read about an article, that Android Antivirus-app cannot protect of Stagfright bug because the Antivirus is restrained by the Android permissions – so only option is to do firmware update to patch vulnerabilities.

  • Nallaikumaran

    Nexus sucks period (security flaw). They try to hide the truth. Look that Nexus 6P Main disadvantages. Terrible, The Samsung, LG, HTC, Sony are way better than the Nexus 6P.

    No expandable storage (microSD card slot)
    No water and dust resistant
    No Optical Image Stabilization (OIS) for the camera
    No Thermal spreader (Cooling technology to avoid the phones overheating)
    Nexus 6P problem is the heating issues which the Qualcomm Snapdragon 810 chipset is responsible for.

    No Super AMOLED- The large 5.7-inch display is an AMOLED capacitive touchscreen but not a Super AMOLED which is found on the Samsung Galaxy. Comparison wishes the Super AMOLED consumes less power which can save the battery juice a lot and, more importantly, it have better viewing angles than a standard AMOLED, but sadly it’s ain’t any with Nexus 6P.

    Lacks wireless charging
    Lacks a cable TV out option

    The 32GB Nexus 6P device components cost only $160-180.

    • Freak_ Aniket_

      NEXUS 6P is the best implementation of SD 810 on any device till now. I don’t think it really needs a thermal spreader.
      Yes, it lacks OIS but it has EIS.
      According to GOOGLE, 6P packs the same display of SAMSUNG NOTE 5 (power consumption is approx same ), SUPER AMOLED is a term that is only used by Samsung same as RETINA DISPLAY, term used by Apple for IPS.
      Wireless charging can be a deal breaker for someone.
      I think that’s why 6P cost $200 less than Galaxy S7. When you are paying high you can always expect to have some extra features, that may or may not be useful but you get them anyway..

      • Joshua P.

        If this is the best implementation then God damn the 810 sucks. It’s great for the first 10 minutes then poof, I’ve got a snapdragon 600 series phone all over again. I’ve taken to using my oneplus one while at home again, that phone rarely throttled down on me.

        Eis is some bushit. The display is nice and just like what you will get on an note which is where the benchmark is. Oh and the 6p Bends. Almost everything else is forgivable, but it’s about as strong as a chocolate bar and only give the appearance of strength.

        • Devon

          Have none of these problems with my 6p. I must of lucked out.

          • Joshua P.

            Or maybe I use mine more than designed. It’s hard to say. I’m stuck throttled down as I write this.

          • David Bowline

            Awe. It must really suck for you. My 6P is by far, the best phone I’ve ever owned. That includes the N1, N4, N5 and some garbage “top of the line” Samsung Galaxy S line of phones. You can complain all you want, but surfing porn, constant gaming, and multitasking3+ tasks at a time, is just begging to ruin your phone.

            If you want a phone that doesn’t collapse under that weight, get something which isn’t force encrypted, root it and FLASH roms, or whatever it is you do to your phones, but don’t bag on Nexus security, because no other Android phones are force encrypted and receive constant security updates.

          • Joshua P.

            Yeah it does, I use it the same way I used my galaxy nexus, nexus 4, moto x, s4 and one plus one. When it throttles down it behaves slightly worse than my moto x does which is highly disappointing considering the cost and hype behind this guy.

            Porn is for tablets man.

            -Posted from my oneplus one as my 6p cools down on the table because apparently disquss comments are enough to throttle down a 6p

          • Robert

            Yeah I’ve experienced none of these issues either. Nexus 6p is just a great phone. I don’t get the slams at build quality. This thing is solid. And updates !! Woot to updates. No longer waiting on Sammy and their months later if that updates.

        • VAVA Mk2

          Had my 6P since late October. No overheating, no bending, superb camera. You are full of shit.

      • Nallaikumaran

        You seem upset. What a shameless liar. I’m sorry, but this is ridiculous. Nexus 6P – No Super AMOLED. Thanks to the Nexus 6P fanboy (Freak Aniket) for showing us how dumb Nexus supporters really are and how easily it is to fool them.

        • Freak_ Aniket_

          …then please, will you explain me the difference between a Normal AMOLED and a SUPER AMOLED ?? what I know is Super AMOLED is the brand name given by Samsung to its range of superior smartphone displays. Super AMOLED displays reduce the thickness of the screen by integrating the touch response layer with the display itself ,this technology is only used by SAMSUNG and thus only SAMSUNG can use the name SUPER.

          As you said, Super AMOLED displays handle sunlight better than AMOLED displays and are also better on power consumption. As the name implies, Super AMOLED is simply a slightly better version of AMOLED.
          Google said that 6P has same display unit of NOTE 5 than it is also a SUPER AMOLED display but Google doesn’t use ‘SUPER’ term because that has to only used by SAMSUNG….
          I am not a fanboy I am just saying what I have read on articles.

          • Nallaikumaran

            you are a fool? You read my comment. “The large 5.7-inch display is an AMOLED capacitive touchscreen but not a Super AMOLED which is found on the Samsung Galaxy. Comparison wishes the Super AMOLED consumes less power which can save the BATTERY juice a lot and, more importantly, it have better viewing angles than a standard AMOLED, but sadly it’s ain’t any with Nexus 6P.”

            Super AMOLED includes the digitizer and the display. AMOLED includes only the display.

            AMOLED stands for active-matrix organic light-emitting diode. It consists of a set of thin film layers of electroluminescent power-producing organic compounds and a pixel-modulating matrix. Super AMOLED is a more advanced version. It integrates touch-sensors and the actual screen in a single layer.

            AMOLED consumes less power, provides more vivid picture quality, and renders faster motion response as compared to other display technologies such as LCD. However, Super AMOLED is even better at this with 20% brighter screen, 20% lower power consumption and 80% less sunlight reflection.

          • Freak_ Aniket_

            Mr, are you reading my comment??
            “Google said that 6P has same display unit of NOTE 5 than it is also a SUPER AMOLED display but Google doesn’t use ‘SUPER’ term because that has to only used by SAMSUNG….”
            pls explain this..

          • Nallaikumaran

            This is not true.I think all this fake just a propaganda for 6P. Check out Google search and mobile sites.

          • Bob Bigellow

            I only wear super jeans. All other jeans are worthless now.

        • VAVA Mk2

          It uses same gen panel as the Note 5 by Samsung. Stop being in denial.

    • Modman

      I think the nexus 6 is better than 6 p but only with chroma and a custom kernel. Some may critize that saying they shouldn’t have to root just for patches and updates. The fact that I can run an os of my choice is a great option and nexus phones are the most open to allow this.

      • Freak_ Aniket_

        Why 6P isn’t better than 6 (both phones with chroma and custom kernel)??

        • Joshua P.

          Doesn’t bend for one thing.

          • Freak_ Aniket_

            Who is going to put a phone on that extreme pressure in real life??

          • Joshua P.

            Apparently my hand and front hoodie pocket are so extreme that my phone started bending.

          • Mk

            I have nexus 6 and the screen cracked in my pocket because it’s too dang big and it’s not built strong. Yes,I even have a cover on it.
            Unlike other cracked screens, this would cost me over $200 because apparently the glue used almost guarantees breaking the digitizer if the top glass is removed, so no one will replace the screen without buying the whole kit.

            Performance on nexus phones is great, but they’re so expensive for such cheap, cheap parts… I still owe $400 on it and the screen looks like a spider web.

            I used to own a galaxy 3, it was cheaper and took much more abuse, and was cheaper to fix. Regretting purchasing the nexus 6, not performance but physical quality should be MUCH better for the price.

          • Bob Bigellow

            I keep trying to bend mine so that I can fit it into smaller pockets. I had my pet elephant sit on it for a week and still no bend. I’d like to borrow your hoodie.

          • Mk

            No but the 6 screen is too big for its cheap casing to protect. It cracked just being put in my pocket, and that’s with a case on it. And because it’s made of cheap parts, it’s too risky to fix, so it will cost more than it’s worth.

  • Joshua P.

    Do you think they will release an update that will unbend my phone ?

    • Nick

      Ayou shouldn’t have sat on it. Google doesn’t sell common sense.

      • Joshua P.

        Why would you assume I sat on it? Stays in my hoodie pocket. I have owned phones since the 90s, in the last 20 years of phone ownership I’ve broken and bent 0 devices. Well 1 now and it certainly isn’t because of any extreme stress I put on it. Check out the bent after two days thread on XDA developers and check your assumptions.

        When it comes down to it, the 6p looks nice, but that’s where its build quality ends. I’ll tell what Google does sell, brand new Nexus 6p phones bent in the box they come in.

        • Ernie

          I have had my Nexus 6p since November. I have a speck candyshell case for it and intelliglass on it. I have had no problems with my phone bending or not working well. I have dropped it about 3 ft a few times being my fault obviously. No damage or even a nick on it. Maybe get a good case for it. I have had a great experience with it thus far.

          • Cheese

            Sounds like he’s trolling, he says it came out of the box bent? Bullshit.

          • Joshua P.

            Check the “bent after two days” thread on XDA developers. We have been posting our bent phones on there, mine didn’t come bent but someone else’s did. That’s the most extreme. Most of the bent out of box phones have a slight bend that makes it wobble or have the screen separating near the volume buttons. The most egregious bend (aside from a full bend) is the kink between the power and volume buttons. In my case I went from a perfectly straight phone to a wobble and then to the screen starting to separate from the metal body on the upper left hand side.

          • Cheese

            I’m not checking anything, being bent out the box just doesn’t seem even close to feasible. And many of them? No. Sorry.

          • Joshua P.

            It’s really sad, the phone is just poorly built. And yes they come bent out of the box, hoorah for huahwei quality assurance. For a while people thought it was because of the cases they were using so there was a thread dedicated to that, but it happens to people case or not. A good number of people have the kink and don’t realize it until they take their phones out of the cases to clean them. If you have no desire to learn that’s a bummer.

            These big OEMs make a lot of phones , a bent one out of the box isn’t infeasable. Sometimes things slip through QA, or sometimes a lot of thing slip through QA it can and does happen. Years ago I used to sell phones and we would see it all the time. My favorite explample was of some ptt flip phones LG put out for ATT a while back, more than once I took them out of the box for customers and flipped them open only to have the screen pop off the hinge and be left dangling by the cable. Other than. That they were good phones. There were also a good number of HTC wizards that had faulty sliding mechanisms that would bind up out of the box, or blackberry pearls with trackballs that didn’t track anything. I can go on and on.

          • Cheese

            When it’s a problem like the iPhone, maybe I’ll pay attention but as of now, it doesn’t appear to be a problem for a lot of people.

          • Joshua P.

            It’s only not a problem like the iPhone because the volume is much lower. If you check XDA or Reddit you will see plenty of bent phone reports. Jerry rig put out a series of videos on the construction of the phone too.

            Google is very aware of the problem, the only thing they ask for is a picture not even an explanation. Which is good on them, but a pain in the ass for the consumer.

          • Freak_ Aniket_

            According to you, which is the best smartphone out there right now under $499 with SD810, FULL METAL BUILD, STOCK ANDROID, QHD SAMSUNG MADE AMOLED, DUAL FRONT FACING STEREO SPEAKERS, BEST CAMERA ON ANY SMARTPHONE, USB C WITH FAST CHARGING and SUPERFAST FINGERPRINT SENSOR please suggest

          • Joshua P.

            I don’t think you’re going to get all those options at that price, but you could come damn close with a oneplus 2 and not worry about bending. Its worth noting that a “full metal” phone means nothing if that metal is thin and weak.

          • Freak_ Aniket_

            sir, why are you so serious about bending of 6P.??

          • Joshua P.

            Because this thing pretends to be a premium phone and has a premium price tag but Bends with normal use. That’s messed up.

          • Bob Bigellow

            I’ve also heard on the Internet that if you lie about your phone, it will bend. Since I heard about it on the Internet, it must be true.

        • Nick

          Again, Google doesn’t sell common sense. You can go read what other posters say and watch these ridiculous videos where people force bend the phone for clicks, its irrelevant. You don’t know the circumstances and guess you trust everything you read on the internet. My 6p has been outstanding…

          • Joshua P.

            And mine bent without any trauma and others have had it happen without any direct pressure too. Hm if I had common sense I would think that some people have had issues with the poor build quality and others have not , yet

          • Brett

            If you bend your phone, you have done something retarded to it. It takes a good amount of pressure to bend it. It’s a tech device not a child’s toy. Remember it’s thin glass and aluminum. I use mine in the gym. Works perfectly. Get a case genius and stop abusing your electronics. You should be past your Tonka ⛟ days

          • Joshua P.

            Nope, sure didnt. It’s just built so poorly that it has trouble with bending. Check the “bent after two days” thread for dozens of other stories and even more spread across Reddit and in other places, turns out that using a case wont help the phone when it comes to bending. In 20 years of cellphone owner ship I have dropped phones twice. I dropped a droid maxx once and a oneplus one once. I’ve never lost a phone or even scratched a screen. In 20 years, she. I say to you that I found d my bend while doing my nightly phone cleaning you should get the idea that I take very good care of my phones.

          • Siddarth Puranik

            Same with me just bought and it’s been the best phone I’ve ever owned

        • Benedict

          Call Google. Perhaps they send you a new on if you explain your problem.

          • Joshua P.

            I actually got mine form huahwei directly and I do plan on exchanging it, but my bend is mild at the moment and I’m watching it every day. I’m curious if my bend (the upper left hand screen is seperating from the body) leads to the link on the right side or not. For science.

      • Mark

        You’re full of shit Joshua, I have had a 6P since December and I’ve had it in my jeans front pocket and back pocket and accidentally Sat on it and guess what mine isn’t bent. Sat on it while on the front seat of my car too and nope still not bent. I have a very thin silicone cover so no BS hard case to protect it. You need to get rid of Android and go with an IPhone. Stop embarrassing yourself.

        • Joshua P.

          So you’re phone has not bent there fore I a. Full of shit. Take a look over at XDA devs and tell everyone on the bent phone thread that.

    • Scr-U-gle

      The Nexus 6 bent on its own, there is a long list of users on this site who complained about this in a article a while back.

      The battery seems to have expanded and bent the device.

      They had to wait three months for a return code, then a further three months for the device to be replaced.

      I beleive it has been called ‘Self-Bend Gate’.

  • Modman

    Who needs TV out when there’s chromecast all cast? And which is better is a matter of perception. I’ve never put an oversized phone in my pocket. Ive been using a big leather case since Blackberry.The Nexus 6 has ois wireless and quick charging, not sure why 6p doesnt when its the nexus after. Its all about marketing if you want the latest greatest toy you have to shell out 600 plus. Buying last years nexus on amazon has worked out a lot better for me.What did you do to get it to bend? The Beauty of the nexus is running anything you want. Its more risky to circumvent locked bootloaders and risk bricking expensive Samsung phones. Samsung has been becoming controlling like apple with their devices. Ignoring the freedom their devices once had before Knox came. They will put removable sds back in sgs7 but no removable batteries. Not including the removable batteries is planned obsolescence. I would have bought a Samsung device if those freedoms still existed. I’ve lived without removable SD and battery since I owned opo and now this device. I like custom ROMs. I Dont consider the way the phone comes out of the box the end all be all.

  • Lucky Armpit

    Great, I have to reflash my Nexus 6 yet again. I have yet to be able to install an OTA security patch. I get Andy lying on his back with ERROR. Every. Single. Time. My bootloader is unlocked (has to be to flash Nexus images) but I am not rooted nor do I have any custom ROMs installed. Very frustrating.

    • Daniel H

      When you fastboot flash leave out -w. That will wipe.

  • Mary Johanssen

    The vast majority of users that download viruses deserve them as they come from websites with sketchy content.

    • bhsand

      What is “sketchy content”?

      Why do people who visit sites that (in your opinion) contain “sketchy content” deserve to have their phones hacked?

      • devin gray

        I dont think people deserve to get hacked but i do believe with vulnerabilities like this people should know what to avoid but there are still lots that don’t.

    • Joshua P.

      The stage fright exploit happens when someone just sends you an MMS messages with a payload. You don’t even have to open it.

      • gg

        People are indeed that ignorant. They always jump to conclusions without even knowing the facts. This my friend is called the Internet.

  • Modman

    Wouldn’t doubt the 6p is sick with chroma and a custom kernel either. I Dont own one so I can’t say.

  • Modman

    Yes I could get an update on stock every month. However I like to be rooted and chain fires root breaks the ota. Chroma is like stock with added features and I can dirty flash through twrp. That is much easier than clean wiping every time I want to take an ota.

  • Sam Brown

    why do people get so salty in these comment threads haha. alot of you are comparing the 6p to the S7 but really the 6p should be compared to the S6 seeing as they are both 2015 phones, the 2016 Nexus hasn’t even been announced yet and we all already know it will wipe the floor with the S7. More people complain about Samsung devices than Nexus devices anyway and yes of course a handful of people are going to get unlucky with devices but that happens with every manufacturer. So quit your whining and buy whatever goddamn phone you like.

  • Alex Covello

    I make sure what I download is legit. Retards that download any app get what they deserve. There is obvious ways to make sure your device is safe. -_-

  • M3D1T8R

    Four days later and I still haven’t got an update on my Nexus 6. Not really worried about the exploit, just FYI.