Not sure what to say about encouraging users to throw caution to the wind. We got to this point of such good exploit mitigation because it's good for everyone for these devices to be secured.
A bit silly to link a page about malware that Play Protect prevents, largely local privescs that are being detected by the OS or Google Play beforehand.
An average user installing apps from Play Store has nothing to worry about for those. That's kind of the point.
It's great for these devices to be patched - I'd love it if Google would take more control over the ecosystem to be able to patch this sort of thing, but it's much worse for users to just throw out otherwise working devices with limited-to-no real-world security issues.
Google Play Protect has limited capabilities to protect against in-the-wild exploits of the kind Maddie described. It knows about certain packaged implementations, which means that it can offer some defense from off-the-shelf uses of an exploit, but it definitely does not reduce the risk to anywhere near zero. The only correct way to mitigate against exploits like this is a patch, end of story.
GPU bugs are particularly concerning because they have significant power (the GPU can often map all of physical memory if convinced to do so) and widely exposed (lots of things need graphics). Turning one of these into a full chain can often require zero bugs if the buggy API is callable from JavaScript, or one to escape the VM and poke the driver.
Um, no? Most of the RCE's I'm seeing are at the OS level and would require upgrading to a newer Android OS version that older devices won't have support for.
To fully patch, yes, but the point is that Play Protect is detecting them before installation before they can be exploited, ie: on submission to Play Store or on installation on devices.
Yes, this is still a risk - if you tend to install random apks from the internet and disable Play Protect or run across an undetected modification of the relevant exploit code. But most users don't do that.
Gotcha. Still, it's a lot of RCE's coming out per month to depend on blackbox machine learning for something people use every day for their personal/business needs.
I would like to see stats on what percentage of android phones were exploited in the wild for malicious purposes (ie. excluding cases where the user deliberately is jailbreaking them).
Personally I have never seen any friends or relatives get malware on their phone that gets outside the app sandbox (ie. Uninstalling the bad app seems to solve the issue). Compare that to MS Windows where it seems common for regular users to have malware infested systems.
Generally the fraction is fairly low, because the bar for a full chain these days is pretty high. That said, it is important to not be lulled into a false sense of security because you don't seem like an attractive target. A chain worth $50k dollars can be a good purchase if you think you can bring in a million dollars home with it.
https://twitter.com/maddiestone/status/1395004346996248586
Not sure what to say about encouraging users to throw caution to the wind. We got to this point of such good exploit mitigation because it's good for everyone for these devices to be secured.