Google confirms Android attacks; no fix for most Samsung users

Never mind the December security patches, Samsung haven't even released the November patches yet, the ones for the critical severity RCE. Unless you have a "major flagship model" [1], because apparently only the richest users deserve to be secure.

[1] https://security.samsungmobile.com/securityUpdate.smsb

Google Pixel 7 and Pixel 7 Pro are still stuck on the October patches.

Samsung for the longest time was releasing updates way too late, and what they were releasing monthly was old patches.

Buying a device directly from Samsung may be different, but the manufacturer still has to usually convert the pure android update to their branch.

Still, trying to find a pure android phone is important. More manufacturers used to make them.

Example: https://www.androidauthority.com/best-smartphones-stock-andr...

> pure android phone

Do these even exist? Last phones I'm aware about were Android One program, but it ended years ago.

The link suggests Google Pixel, but it's not pure android phone, it's full of Google junk software.

Pixel 6a used to show a September patch as the latest, but tapping "check for updates" found a new one. As mentioned in other comments here, apparently tapping those buttons twice may help.

Why would you want security, if you get 'play integrity' for phones that received no updates since 2 years. Google's current security practices are more than dubious IMHO. Now they are not releasing any source for security patches for 3 month, to 'protect' vendors that are too slow updating. As if there is no chance for bad actors to reverse engineer those patch sets.

My 7 is on the December one.

Can confirm on a Pixel 6a.

Says September is the latest system update. Click check updates, says it's up to date, click check updates again, says it's preparing system update and hangs out for a while - then says it's downloading and installing a 781M update.

WTF?

Update: OK finally the update completes an hour later, even the reboot took longer than usual - says it's "updated to December 5, 2025"

This phone running Android 16 for a bit over a month now.

You might be on a slow rollout group, I got the December patch on my Pixel 7.

I have the strongest level of "Play Integrity" on a Xiaomi phone that hasn't received any updates since the beginning of 2020. Google Pay and co work fine. It makes sense when you remember that PI is not about security at all, that's just an excuse.

Play Integrity is just spyware - it does not provide any degree of security.

Sorry for my irony. While I do not think it is spyware on itself, it sure is a way to force vendors to bundle spyware.

I was clicking "Check for Updates" every few hours. Finally started working a bit ago.

Fun fact: Pixel 7 and Pixel 7 Pro didn't get a November update

The December updates for Pixel 7 and Pixel 7 Pro are available to manually download on Google's website [0], so the updates do exist, although Google might not be rolling them out to the general public quite yet. But the December update for Pixel 7a are completely missing from that website, and trying to update from the Settings app also shows no updates available.

[0]: https://developers.google.com/android/ota

The "integrity" refers to googles bottomline!

Is there a way to apply one of these manually (without getting into dev tools and wiping & flashing with the new image)?

There are instructions at the top of the link. You need to use "adb" from the command-line on a computer, but it won't wipe any of your data, so it shouldn't cause any data loss. If you don't want to use "adb", you might be able to use [0], but I haven't tested it myself.

[0]: https://flash.android.com/welcome

> Samsung haven't even released the November patches yet.

My fold 6 has the November "security patch level" or what does that refer to?

Elaborate please. PI on its own is just an insurance API for banking and similar apps to ensure that they can do secure compute on the device. It can also be used to check if the device that the app is running on is a genuine Android device, since no VMs or custom ROMs can pass hardware integrity.

Well, only it isn't.

Very old, unpatched and rooted devices can fairly easily pass device integrity check.

It primarily assures the software vendor that the phone is running Google buttplug in the privileged mode.

Remember, handsets running on ANCIENT versions of Android with no patches for years. Whilst seems to be important to raise under the Forbes article (rightly) fussing about a couple of zero-days.

"Custom roms" (whatever that means) can easily spoof the checks in the specific situation (mainly hardware that allows for several things).

What sense is does it make to certify an insecure device that may be subject to all kinds of remote exploits and elevated code execution as 'unmodified'. The argument of the banks is: the device is insecure (even with the latest patches). We all know the whole compliance is a bit more complex, so it might make sense on that level...

I thought Google was moving stuff out of the open source stock android branch and into their proprietary pixel development branch, such that the functionality of stock android has been diminishing to the point that a phone running stock android would be barely usable as the device we'd expect. Maybe I've read wrong and misunderstood though.

The 7a got a November update while the 7 and 7 Pro did not. Perhaps that's related to the delay.

Specifically for 7a:

Rumor is the Pixel 7a December update rollout was paused due to a severe wifi bug. You might not want to upgrade manually at this time, even if you find images available for download.

(The rumor is somewhat weak, it's apparently everyone regurgitating one seemingly AI chat.. Google needs to state the reason publicly.)