Google’s annual review of zero-day exploits has raised concerns about the effectiveness of patches and the handling of known vulnerabilities in the Android ecosystem. The report questions whether zero-day vulnerabilities are even needed on Android since as soon as Google becomes aware of a vulnerability, it becomes an n-day flaw, regardless of patch status. This means that attackers can exploit known vulnerabilities without having to worry about a patch being available.
Google pointed out that in some cases, patches have not been available to users for a significant amount of time due to a disconnect between upstream (developer) fixes and downstream (manufacturer) adoption. The company emphasizes the need for clear communication and collaboration among all parties involved to quickly share technical details and deploy fixes and mitigations to protect users effectively.
While the number of zero-day vulnerabilities detected in 2022 decreased compared to the previous year, attackers are still exploiting n-day vulnerabilities, which remain a concern for the Android ecosystem. Google calls for more comprehensive patching methods that address the vulnerability as a whole rather than just the specific exploit method.
