This month’s updates for Samsung and Pixel users left a bad taste in their mouths: news broke that a serious Android security threat had been discovered. Google confirmed on Tuesday that attacks are likely underway, and – also on Tuesday – Samsung and Google hastily released patches as part of their monthly updates.

It appears that the vulnerability and exploit were discovered by Google’s TAG threat hunters, meaning it’s a sophisticated attack. While only “limited, targeted exploitation” is currently at risk, once an exploit is out in the wild, it spreads quickly.

It’s no big surprise, then, that the U.S. government has just told federal employees to update their Android devices by August 28 or stop using them by then. The DHS cybersecurity agency did the same in June when the last Pixel zero-day vulnerability was discovered and disclosed. This time, it took just 24 hours for CISA to add the new Android threat to its Known Exploited Vulnerability (KEV) catalog.

CISA’s update or “tune-in” instructions are mandatory for U.S. federal employees – and since we’re talking about Android, this will impact a large number of users. However, other commercial and public organizations are encouraged to follow CISA’s instructions to ensure their own security and do the same – many are already doing so. Personal users should also ensure this update is applied in a timely manner, especially if you access employer systems using your personal device. This is a well-trodden attack path.

CISA’s warning is similar to Google’s, which states that the vulnerability and exploit “allow remote code execution.” Again, it’s reasonable to conclude that a sophisticated APT or even a government exploit has been discovered. But this is how many such threats make it to the wider market, and there’s a real possibility that the gap between the release of the patch and its widespread adoption could widen, especially during this time of highest risk.

While the vulnerability and exploit themselves are serious, the problem with such threats is that they can be used together with other vulnerabilities (known or unknown) as part of a chain attack, as we saw with the similar alert in June.

Google included CVE-2024-36971 in the August Android general security update included in the Pixel’s monthly update. Samsung added the fix to its own August update. Ironically, Samsung had already scheduled the June zero-day attack for this month and included it as well. The two exploited vulnerabilities were listed side by side in Samsung’s advisory (above) – all very neat and clear.

The previous zero-day was initially flagged only for Pixels before Google and then Samsung confirmed that their devices were also affected. Therefore, Samsung was not covered by the latest CISA update alert, which only targeted Pixel phones.

The problem for Samsung right now is the usual slow monthly delivery of security updates depending on the device, region and carrier, as well as the fact that some older and cheaper devices don’t have monthly updates available. Pixel has some of the same concerns, although not to the same extent.

How Google, Samsung and other OEMs will handle the mix of their usual update schedules and the CISA mandate remains to be seen. Failure to provide a timely resolution certainly seems to trigger CISA’s “cease use of the products if no remedies are available” clause. Stay tuned.

In the meantime, those of you who get the update in time should make sure you install it as soon as possible, with just 21 days left until the August 28 deadline.