Samsung Galaxy users now have an impossible new problem
Updated on October 30 with an update on Samsung’s battle with the iPhone for global deliveries and a possible brand change, both of which impact the more secure premium handset market. This article originally appeared on October 29.
Millions of Samsung Galaxy phones are now at risk from a serious hardware vulnerability – the second alert in recent weeks. And while the latest monthly security update addresses one of these threats, the other remains a threat. The US government has instructed users to update their phones by Tuesday, October 29. The bad news is that this means the deadline has arrived just before the update. Yes, you need to update your phone, but no, that’s not possible right now.
Both vulnerabilities have resulted in active attack alerts. One from Google, which warned Galaxy users that CVE-2024-44068 was being targeted as “part of an exploit chain,” among other vulnerabilities. This is a ‘use after free’ threat to Exynos processors, meaning that memory access is not closed after processing, while latent references remain. This can be exploited by malicious code. It mainly affects older phones and was patched by Samsung in the October update.
The second warning came from Qualcomm and affects a wide range of mobile devices, not just those from Samsung. But given Samsung’s position as the dominant Android OEM, the impact on their install base will be the greatest. The issue occurs in the same type of use after free memory vulnerabilities, and has also led to active attacks.
Earlier this month, Qualcomm acknowledged “indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation,” confirming that fixes were made available to device OEMs in September. It urges OEMs to deploy these patches “on released devices as soon as possible.”
CISA – the US cybersecurity agency – has added CVE-2024-43047 to its Known Exploited Vulnerability catalog, warning that “multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services, while the memory cards of the HLOS memory is preserved.” All federal employees have been instructed to “apply remedial or mitigation measures as instructed by the supplier” by October 29, “or discontinue use of the product if remedial or mitigation measures are not available.”
Catalog of known exploited vulnerabilities: deadline is October 29
Simply put, this means you need to update your phone or stop using it. There is no update yet for Samsung phones. CVE-2024-43047 was not included in the October Android or Samsung updates, so meeting that deadline is impossible. The issue is widely expected to be fixed in the November Android security update, but chances are Samsung Galaxy users will have to wait another month.
Samsung told me it “takes security issues very seriously. We are aware of the report of possible vulnerabilities in some Qualcomm chipsets and have been working with Qualcomm to address this issue. We started rolling out security updates in October, but additional updates may be released at a later date. This varies per network provider or model. We always recommend that users keep their devices up to date with the latest software updates.”
In the meantime, the company warns that “some patches that will be received from chipset vendors may not be included in the month’s security update package. They will be included in upcoming security update packages as soon as the patches are ready for delivery.”
And so, owners of Samsung models, like some Galaxy S23 devices, find themselves in the impossible position of an update deadline that they simply can’t meet. As I’ve said before, make sure you check for the November update as soon as it’s released. Until then, vulnerability remains a risk.
The good news for Samsung users could be a sign of life for the One UI 7 beta, which ultimately brings Android 15 to Galaxy phones much later than expected. SamMobile has reported that while the company didn’t reveal the beta at the recent US developer conference, “it appears it could open the beta program at the SDC 2024 event in South Korea in November.” Nothing has been confirmed yet, but that would cause major excitement if Android’s biggest OEM gets its biggest security update yet. Theft protection, live threat detection and private areas could be seen soon.
Meanwhile, meeting CISA’s deadline may not be the only impossible task on Samsung’s to-do list. There’s bad news for the Android OEM, as evidenced by the latest global smartphone shipment statistics, as the company takes on Apple in the premium segment – with Google’s Pixel also taking some of its Android market share on the expensive side is eroding, and cheap Chinese players are coming from behind, with cheaper units offering much of the same technology.
The Financial times reports that “Samsung Electronics is struggling to hold on to its crown as the world’s best-selling smartphone maker, exacerbating a mounting crisis at South Korea’s largest company.” IDC just released an update on Q3 smartphone shipments, showing that Samsung is down 3% year-over-year, from 21% to 18%. “Analysts estimate that the smartphone division’s operating profit fell by as much as 30 percent over the same period,” theft reports.
Of course, it’s the iPhone that matters most. That is why Korean media reports suggest that “Samsung is reviewing the brand division of ‘Galaxy’ smartphones, consisting of different lineups.” The idea was that the Galaxy brand would be reserved for premium, flagship devices that come with iPhones, and not for the cheaper models.
This could impact both safety and AI, which have become two of the defining factors in the premium segment. With devices expected to be supported for six to seven years out of the box (i.e. security updates), there are clear cost and component implications. The same goes for AI, where the privacy-driven push for on-device processing increases construction costs.
“Samsung Electronics has always led the way in global smartphone delivery,” Korea said E Today“but turnover is gradually decreasing. Moreover, it lags behind the iPhone in the premium range, which is important in terms of profitability. The preference for iPhone among young consumers is particularly striking.”
As I reported earlier this week, this divide between Samsung and iPhone could be exacerbated by AI, with Apple’s Private Cloud Compute providing a breakthrough level of cloud security and privacy for AI processing outside the device. If this becomes the logical extension of “what happens on your iPhone stays on your iPhone,” then Samsung needs an answer. Could we see security and privacy as a differentiator in a more exclusive, premium Galaxy category, perhaps?
