In resetSettingsLocked of SettingsProvider.java, there is a possible lockscreen bypass due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "ff86ff28cf82124f8e65833a2dd8c319aea08945", "tree": "524d68215696fbfe5584e2a97f296e20904941a2", "parents": \[ "86c8421c1181816b6cb333eb62a78e32290c4b17" \], "author": { "name": "Eric Biggers", "email": "ebiggers@google.com", "time": "Fri Jul 28 22:03:03 2023 +0000" }, "committer": { "name": "Justin Dunlap", "email": "justindunlap@google.com", "time": "Fri Sep 01 12:58:52 2023 -0700" }, "message": "RESTRICT AUTOMERGE: SettingsProvider: exclude secure\_frp\_mode from resets\\n\\nWhen RescueParty detects that a system process is crashing frequently,\\nit tries to recover in various ways, such as by resetting all settings.\\nUnfortunately, this included resetting the secure\_frp\_mode setting,\\nwhich is the means by which the system keeps track of whether the\\nFactory Reset Protection (FRP) challenge has been passed yet. With this\\nsetting reset, some FRP restrictions went away and it became possible to\\nbypass FRP by setting a new lockscreen credential.\\n\\nFix this by excluding secure\_frp\_mode from resets.\\n\\nNote: currently this bug isn\\u0027t reproducible on \\u0027main\\u0027 due to ag/23727749\\ndisabling much of RescueParty, but that is a temporary change.\\n\\nBug: 253043065\\nTest: With ag/23727749 reverted and with my fix to prevent\\n com.android.settings from crashing \*not\* applied, tried repeatedly\\n setting lockscreen credential while in FRP mode, using the\\n smartlock setup activity launched by intent via adb. Verified\\n that although RescueParty is still triggered after 5 attempts,\\n secure\_frp\_mode is no longer reset (its value remains \\"1\\").\\nTest: Verified that secure\_frp\_mode still gets changed from 1 to 0 when\\n FRP is passed legitimately.\\nTest: atest com.android.providers.settings.SettingsProviderTest\\nTest: atest android.provider.SettingsProviderTest\\n(cherry picked from commit 9890dd7f15c091f7d1a09e4fddb9f85d32015955)\\n(changed Global.SECURE\_FRP\_MODE to Secure.SECURE\_FRP\_MODE,\\n needed because this setting was moved in U)\\n(removed static keyword from shouldExcludeSettingFromReset(),\\n needed for compatibility with Java 15 and earlier)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:8c2d2c6fc91c6b80809a91ac510667af24d2cf17)\\nMerged-In: Id95ed43b9cc2208090064392bcd5dc012710af93\\nChange-Id: Id95ed43b9cc2208090064392bcd5dc012710af93\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "a6edb0f0e2e35722ff118876f3098934a38b0f76", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java", "new\_id": "2e04cdae2a30420eb8a7aa41adf5dd5ef4dbf661", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/src/com/android/providers/settings/SettingsProvider.java" }, { "type": "modify", "old\_id": "eaf0dcb9b4e797a07e5c2c058c3bbfe260b5024a", "old\_mode": 33188, "old\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java", "new\_id": "1c6d2b08136c3bda2fee087466e44ee105ce8ec4", "new\_mode": 33188, "new\_path": "packages/SettingsProvider/test/src/com/android/providers/settings/SettingsProviderTest.java" } \] }

CVE-2023-40117

In onBindingDied of CallRedirectionProcessor.java, there is a possible permission bypass due to a logic error in the code. This could lead to local escalation of privilege and background activity launch with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "5b335401d1c8de7d1c85f4a0cf353f7f9fc30218", "tree": "85b52fe7ec98818de079ea0df2d775b8c39a2655", "parents": \[ "dd302d211bd8b935464b48551a76ef718bf33ccc" \], "author": { "name": "Grace Jia", "email": "xiaotonj@google.com", "time": "Thu Jul 20 13:42:50 2023 -0700" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:13:01 2023 +0000" }, "message": "Fix vulnerability in CallRedirectionService.\\n\\nCurrently when the CallRedirectionService binding died, we didn\\u0027t do\\nanything, which cause malicious app start activities even not run in the\\nbackground by implementing a CallRedirectionService and overriding the\\nonPlaceCall method to schedule a activity start job in an independent\\nprocess and then kill itself. In that way, the activity can still\\nstart after the CallRedirectionService died. Fix this by unbinding the\\nservice when the binding died.\\n\\nBug: b/289809991\\nTest: Using testapp provided in bug to make sure the test activity can\\u0027t\\nbe started\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:29b52e3cd027da2d8644450a4dee3a7d95dc0043)\\nMerged-In: I065d361b83700474a1efab2a75928427ee0a14ba\\nChange-Id: I065d361b83700474a1efab2a75928427ee0a14ba\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "226382bde4ab09d0efc1ec408db64c7e3c2cf633", "old\_mode": 33188, "old\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java", "new\_id": "02debcd6c1b5710c2a7a14cd97165ff3d8e080cc", "new\_mode": 33188, "new\_path": "src/com/android/server/telecom/callredirection/CallRedirectionProcessor.java" } \] }

CVE-2023-40130

In appendEscapedSQLString of DatabaseUtils.java, there is a possible SQL injection due to unsafe deserialization. This could lead to local information disclosure with User execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "3287ac2d2565dc96bf6177967f8e3aed33954253", "tree": "832070d1a4d228a36bfcce5f0f3410555063e3ca", "parents": \[ "7212a4bec2d2f1a74fa54a12a04255d6a183baa9" \], "author": { "name": "Kunal Malhotra", "email": "malhk@google.com", "time": "Fri Jun 02 23:32:02 2023 +0000" }, "committer": { "name": "Justin Dunlap", "email": "justindunlap@google.com", "time": "Fri Sep 01 12:58:52 2023 -0700" }, "message": "Fixing DatabaseUtils to detect malformed UTF-16 strings\\n\\nTest: tested with POC in bug, also using atest\\nBug: 224771621\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:fb4a72e3943d166088407e61aa4439ac349f3f12)\\nMerged-In: Ide65205b83063801971c5778af3154bcf3f0e530\\nChange-Id: Ide65205b83063801971c5778af3154bcf3f0e530\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "6c8a8500e4e38c282491cefbf98e42b3a92e976a", "old\_mode": 33188, "old\_path": "core/java/android/database/DatabaseUtils.java", "new\_id": "d41df4f49d48fd3d2bf7274644fc96e67352022b", "new\_mode": 33188, "new\_path": "core/java/android/database/DatabaseUtils.java" } \] }

CVE-2023-40121

In FillUi of FillUi.java, there is a possible way to view another user's images due to a confused deputy. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "08becc8c600f14c5529115cc1a1e0c97cd503f33", "tree": "3f0b8b76102e3b965d293910f949644ce9963cc3", "parents": \[ "2d88a5c481df8986dbba2e02c5bf82f105b36243" \], "author": { "name": "Tim Yu", "email": "yunicorn@google.com", "time": "Tue Jun 20 21:24:36 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:43 2023 +0000" }, "message": "\[DO NOT MERGE\] Verify URI Permissions in Autofill RemoteViews\\n\\nCheck permissions of URI inside of FillResponse\\u0027s RemoteViews. If the\\ncurrent user does not have the required permissions to view the URI, the\\nRemoteView is dropped from displaying.\\n\\nThis fixes a security spill in which a user can view content of another\\nuser through a malicious Autofill provider.\\n\\nBug: 283137865\\nFixes: b/283264674 b/281666022 b/281665050 b/281848557 b/281533566\\nb/281534749 b/283101289\\nTest: Verified by POC app attached in bugs\\nTest: atest CtsAutoFillServiceTestCases (added new tests)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:93810ba1c0a4d31f49adbf9454731e2b7defdfc0)\\nMerged-In: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\nChange-Id: I6f4d2a35e89bbed7bd9e07bf5cd3e2d68b20af9a\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "bc5d6457c945fec1263428c45dd50615ec131132", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/Helper.java", "new\_id": "48113a81cca5f0a44dc5b478f47e7cadef622745", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/Helper.java" }, { "type": "modify", "old\_id": "c2c630e01bee7a3d999047550719a9e2b0e25201", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java", "new\_id": "59184e9ed28814672004f7d8a8d01b6105ab7b40", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/DialogFillUi.java" }, { "type": "modify", "old\_id": "8fbdd81cc4cc666f5fe855da1aa29187066ac73f", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java", "new\_id": "76fa258734ccc37aea53d19990e64f122c6a0f51", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/FillUi.java" }, { "type": "modify", "old\_id": "677871f6c85f860363fc3e5cb2d07f65b602f6ef", "old\_mode": 33188, "old\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java", "new\_id": "533a7b69a650a58ecceb078fd2442dc9e74f67c2", "new\_mode": 33188, "new\_path": "services/autofill/java/com/android/server/autofill/ui/SaveUi.java" } \] }

CVE-2023-40139

In android_view_InputDevice_create of android_view_InputDevice.cpp, there is a possible way to execute arbitrary code due to a use after free. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "2d88a5c481df8986dbba2e02c5bf82f105b36243", "tree": "6fe3bd910de991370a02c926861447a19172e1ac", "parents": \[ "5a3d0c131175d923cf35c7beb3ee77a9e6485dad" \], "author": { "name": "Josep del Rio", "email": "joseprio@google.com", "time": "Mon Jun 26 09:30:06 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:10:32 2023 +0000" }, "message": "Do not share key mappings with JNI object\\n\\nThe key mapping information between the native key mappings and\\nthe KeyCharacterMap object available in Java is currently shared,\\nwhich means that a read can be attempted while it\\u0027s being modified.\\n\\nBug: 274058082\\nTest: Patch tested by Oppo\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:3d993de0d1ada8065d1fe561f690c8f82b6a7d4b)\\nMerged-In: I745008a0a8ea30830660c45dcebee917b3913d13\\nChange-Id: I745008a0a8ea30830660c45dcebee917b3913d13\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "9cc72437a0234a89063644ffe2ab29c1dd47e381", "old\_mode": 33188, "old\_path": "core/jni/android\_view\_InputDevice.cpp", "new\_id": "f7c770e0bffb81d000ca79477c2fa674b44d66b4", "new\_mode": 33188, "new\_path": "core/jni/android\_view\_InputDevice.cpp" } \] }

CVE-2023-40140

In GpuService of GpuService.cpp, there is a possible use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "0cda11569dd256ff3220b4fe44f861f8081d7116", "tree": "76c88564d59b51976e524a8eb2a394c269786e01", "parents": \[ "686a75e8cd7a20c613dca5fec9d5a7877d360bac" \], "author": { "name": "sergiuferentz", "email": "sergiuferentz@google.com", "time": "Mon Jun 26 18:01:47 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:11:52 2023 +0000" }, "message": "Fix for heap-use-after-free in GPUService.cpp\\n\\nThis adds a unit test and fix for the bug reported by libfuzzer.\\nChanges made:\\n \* Expose GPUService as testable code.\\n \* Update main\_gpuservice.cpp to use the new GpuService now located at\\n gpuservice/GpuService.h\\n \* Make initializer threads members of GpuService\\n \* Join the threads in destructor to prevent heap-use-after-free.\\n \* Add unit test that waits 3 seconds after deallocation to ensure no\\n wrong access is made.\\n\\nBug: 282919145\\nTest: Added unit test and ran on device with ASAN\\n(cherry picked from commit 3c00cbc0f119c3f59325aa6d5061529feb58462b)\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:7fb707802ee4c667d1ee6065ae2845d835b47aeb)\\nMerged-In: I4d1d2d4658b575bf2c8f425f91f68f03114ad029\\nChange-Id: I4d1d2d4658b575bf2c8f425f91f68f03114ad029\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "5b4ee21b423353b3ba8fafe8559ebe2a2e1b24e1", "old\_mode": 33188, "old\_path": "services/gpuservice/Android.bp", "new\_id": "020940f04e7ce0a8c7b92180446e010336060ae4", "new\_mode": 33188, "new\_path": "services/gpuservice/Android.bp" }, { "type": "modify", "old\_id": "7b9782f4e8972debbae12326760ff70c3a61de5c", "old\_mode": 33188, "old\_path": "services/gpuservice/GpuService.cpp", "new\_id": "5643940a6eb4b727eadc881e5633553425d2331b", "new\_mode": 33188, "new\_path": "services/gpuservice/GpuService.cpp" }, { "type": "rename", "old\_id": "d7313d165e3544ba2cbb05e7a8f4febc06a75a8d", "old\_mode": 33188, "old\_path": "services/gpuservice/GpuService.h", "new\_id": "3e0ae66f39853ea3a9f2dbb0c8afeb1167872f83", "new\_mode": 33188, "new\_path": "services/gpuservice/include/gpuservice/GpuService.h", "score": 94 }, { "type": "modify", "old\_id": "64aafcab6a39fbe1e63531926de29f72c8a65af9", "old\_mode": 33188, "old\_path": "services/gpuservice/main\_gpuservice.cpp", "new\_id": "200237219e00b261f8f8bc81ff61c428a22ba882", "new\_mode": 33188, "new\_path": "services/gpuservice/main\_gpuservice.cpp" }, { "type": "modify", "old\_id": "4fb0d2e734b8f3a2c2cff8466eedafa6a2cb4c62", "old\_mode": 33188, "old\_path": "services/gpuservice/tests/unittests/Android.bp", "new\_id": "808c86bcae900abf043dc27e9e4045d8163dbaf4", "new\_mode": 33188, "new\_path": "services/gpuservice/tests/unittests/Android.bp" }, { "type": "add", "old\_id": "0000000000000000000000000000000000000000", "old\_mode": 0, "old\_path": "/dev/null", "new\_id": "62b3e53f5347dbff7d7bc5d2f64f6612247e46dd", "new\_mode": 33188, "new\_path": "services/gpuservice/tests/unittests/GpuServiceTest.cpp" } \] }

CVE-2023-40131

In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

)\]}' { "commit": "c0151aa3ba76c785b32c7f9d16c98febe53017b1", "tree": "96bf9c2e4aeb3c9a5db37467c05c328039ae7d60", "parents": \[ "48779ff3ddafee92e4f098bdbaaf2e9f21b0957e" \], "author": { "name": "Hui Peng", "email": "phui@google.com", "time": "Tue May 16 02:09:38 2023 +0000" }, "committer": { "name": "Android Build Coastguard Worker", "email": "android-build-coastguard-worker@google.com", "time": "Thu Aug 10 17:12:27 2023 +0000" }, "message": "Fix an integer underflow in build\_read\_multi\_rsp\\n\\nWhen p\_buf-\\u003elen is mtu - 1 and p\_cmd-\\u003emulti\_req.variable\_len\\nevaluates to true, integer underflow is triggered\\nin the following line, resulting OOB access.\\n\\n\`\`\`\\n len \\u003d p\_rsp-\\u003eattr\_value.len - (total\_len - mtu);\\n\`\`\`\\n\\nBug: 273874525\\nTest: manual\\nIgnore-AOSP-First: security\\nTag: #security\\n(cherry picked from https://googleplex-android-review.googlesource.com/q/commit:85f4d53c7bf90b806639a3a302f0007ffb3b9f23)\\nMerged-In: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\\nChange-Id: Ia60dd829ff9152c083de1f4c1265bb3ad595dcc4\\n", "tree\_diff": \[ { "type": "modify", "old\_id": "0b60a6a8db91e9e1af0bc1f1426a73f50cfc2864", "old\_mode": 33188, "old\_path": "system/stack/gatt/gatt\_sr.cc", "new\_id": "4c00743228252e0d2805433ad5cc663b6f169250", "new\_mode": 33188, "new\_path": "system/stack/gatt/gatt\_sr.cc" } \] }

CVE-2023-40129

When investing in a unified endpoint management solution, prioritize the needs of your network and users ahead of brand names. This Tech Tip focuses on questions to ask.

A high-caliber, enterprise-grade unified endpoint management (UEM) solution is more critical than ever in today's remote, hybrid, and constantly fluctuating work landscape. If you're in procurement or finance, you're likely under a lot of pressure to choose the right one. You must drive operational efficiency through cost savings and overhead optimization.

For many organizations, Microsoft Intune (rebranded from Microsoft Endpoint Manager \[MEM\] and generally sold as part of an MS Enterprise License Agreement \[ELA\]) looks like a solid choice for endpoint management. It's a cloud-based solution with clear name recognition. Another plus: Microsoft's Intune plan pricing seems very approachable.

Other options have less name recognition than Microsoft but may be a better fit depending on an organization's needs. For example, according to G2, Ivanti Neurons for UEM gets high ratings for quality of support and ease of use. Atera offers particular expertise for small businesses. NinjaOne is rated well for being "a good partner in doing business."

The upshot: Organizations should not be making purchasing decisions based on brand name and pricing. Instead, companies should look beneath the surface before investing in technology, particularly in high-stakes scenarios with serious return on investment (ROI) potential.

**What to Ask Before Investing in a UEM Solution**

We cannot attempt to discuss the pros and cons of every major UEM solution available. With that in mind, here's what I recommend asking when evaluating a UEM solution:

1.  What type of devices will I be using the UEM solution for? Is it primarily mobile, mostly laptops or desktops, or a combination?
2.  Are my endpoints dispersed regionally, globally, or mostly on-site behind a perimeter?
3.  How is my IT help desk going to support and troubleshoot these devices? What is the additional cost per year to support?
4.  How many employees will be involved, and what's the cost per employee?
5.  What are the licensing agreements like? Do I need to buy a whole pie when I only want a slice?
6.  How is pricing structured? Will it scale based on usage?
7.  Do my employees exclusively use one type of device and operating system or a mix? If it's the latter, will the UEM solution work just as well regardless of the device type and OS used?
8.  Would my IT and security team benefit more from a central dashboard with a single-pane-of-glass view or integrated Mobile Threat Defense capabilities?
9.  How does the solution integrate with my other vendors/solutions and third-party apps?
10.  How many more IT employees will it take to manage? Does it require more servers?

Some of those questions might sound overly technical to those in finance and procurement, but your answers can significantly affect your true usability and costs.

**Get the Full Picture of Your Total Cost of Ownership**

As a rule, technology must suit the organization using it, and no technology solution is suitable for everyone. Total cost of ownership, for instance, is important, and it varies among solutions. Let's look at Intune as an example.

For all its strengths and lightweight supports on operating systems such as Android and macOS, Intune is not recommended for some verticals and businesses that require robust support on third-party applications. It is not intended as a complete systems-management platform. Part of the reason it might look like you're saving money by switching to Intune is because it's built primarily for a narrow subset of needs — and those needs are more cost-effective for Microsoft to handle.

Suppose you have diverse endpoints and many third-party apps to manage and integrate. In that case, you'll end up in a tough spot — either tolerating significant vulnerability or shelling out more for a comprehensive solution to pick up the slack. You'll also likely need to acquire additional software to run on certain operating systems. Furthermore, Microsoft charges additional costs per year for its Remote Help/Remote View of mobile devices.

There are more gaps like this, but perhaps most critically for finance, Microsoft Intune's pricing is based in part on the volume of data transmitted. These usage fees are challenging to predict and budget for and can add up. It becomes problematic when deciding between facilitating an unlimited flow of protected data or managing costs. Additionally, I've seen many enterprises having to buy more servers to manage Intune and hire additional administrators to manage those servers.

**The Bottom Line for Your Bottom Line**

In this example, Microsoft Intune is a fantastic option if:

*   You need a robust solution for lightweight mobile applications mainly on the same OS.
*   Your use case is straightforward enough that a single-pane-of-glass view isn't relevant.
*   The numbers look favorable based on your usage needs.

If you have more complicated requirements, perform due diligence to identify more flexible options.

Regardless of where you end up, do not go _without_ a UEM solution. Your company's security depends on it.

Understand the True Cost of a UEM Before Making the Switch

**PRESS RELEASE**

**SANTA CLARA, Calif.,Oct. 25, 2023/PRNewswire/ --** Malwarebytes, a global leader in real-time cyber protection, today launched an essential new consumer solution, Identity Theft Protection. The new service helps individuals secure their digital identities and defend against identity and online threats. Malwarebytes Identity Theft Protection includes real-time identity monitoring and alerts, robust credit protection and reporting and live agent-supported identity recovery and resolution services – backed by up to a $2 million identity theft insurance policy. The new service, paired with Malwarebytes' award-winning antivirus and VPN software, helps prevent criminals from stealing or using personal information to drain financial accounts, hack or impersonate social media accounts, damage a user's reputation or other online and identity-based attacks.

Today's digital life is complex and sometimes deceptive. According to new research from Malwarebytes, identity theft ranks as people's third biggest concern when it comes to online security, just behind fear of financial accounts and personal data being breached – both of which play into identity theft. Of those surveyed 64% agree that identity theft protection is important, but only 13% have it. Consumers are also increasingly fearful of new technology. Malwarebytes gives consumers protection they can trust, alerting them when we see their information has been stolen and providing live agent support to restore their identity and replace lost items.

"Even as we spend more and more of our lives online, we all know that the internet today can't be trusted," said Mark Beare, GM of Consumer Business Unit, Malwarebytes. "Consumers need a tool that not only blocks threats like malware and phishing, but that also monitors and protects their digital identity, be that social media profiles, bank accounts or email. With Malwarebytes Identity Theft Protection, we provide a robust and exhaustive suite of services so individuals and families can rest easy knowing that we are actively working to keep them safe and protect their digital identity."

Malwarebytes Identity Theft Protection is available globally through a variety of tiered offerings that provide protection via computers and mobile devices across multiple operating systems including Windows, macOS, Android and iOS.

**Key features include:**

*   Identity Monitoring & Alerts**:** Continuously scours a multitude of websites and data sources, including the Dark Web, to alert if personal information is being illegally traded or sold. Recommends actions to take to protect yourself.
*   Credit Monitoring and Protection**:** Ongoing tracking of credit for critical changes, such as new accounts or inquiries and applications for new lines of credit. A credit freeze also can be activated\*.
*   Breach IQ**:** Provides a safety score and alerts if personal information is part of a known breach\*.
*   Identity Recovery & Resolution**:** Assistance in the event of an identity theft incident, including guided steps to report the crime, dispute fraudulent charges, restore identity and recuperate financial losses incurred. Includes up to a $2 million insurance policy.

To read more about the latest threats and cyber protection strategies, visit our blog, or follow us on Facebook, Instagram, LinkedIn, TikTok and Twitter.

_\*U.S. only_

**About Malwarebytes**

Malwarebytes believes that when people and organizations are free from threats, they are free to thrive. Founded in 2008, Malwarebytes CEO Marcin Kleczynski had one mission: to rid the world of malware. Today, Malwarebytes' award-winning endpoint protection, privacy and threat prevention solutions along with a world-class team of threat researchers protect millions of individuals and thousands of businesses across the globe daily. Malwarebytes solutions are consistently recognized by independent tests including AVLAB and AV-TEST. The company is headquartered in California with offices in Europe and Asia. For more information and career opportunities, visit https://www.malwarebytes.com.

Malwarebytes Announces Consumer Identity Theft Protection Solution

With Google's announcement of seven years of support, other smartphone makers risk falling behind.

Consumers want their devices to be secure and need to be supported for longer, according to Omdia's new survey of 1,578 consumers across 13 major countries in the Americas, Asia & Oceania, and Europe in September 2023. Google and Fairphone are pushing this forward, but governments are also stepping in to ensure security is taken seriously —  benefiting consumer safety and the environment.

**The Need for Security Updates**

While every effort can be put in place by a device manufacturer to ensure the device is "secure by design" or even certified to regulatory or standardized requirements, vulnerabilities are constantly evolving. Updates are key to ensure that new vulnerabilities are found and remediated in a timely manner.

This is happening as consumers increasingly use their mobile phones for sensitive activities such as online banking, identity verification and even relying on services such as Apple or Google Pay.

The update support period is therefore crucial, as well as the frequency of updates and the ability for security-specific updates to be rolled out independent of wider software updates — which is now offered by many of the leading smartphones.

**How Much Support Do Consumers Need?**

Security update periods and replacement cycle rates are frequently a topic of discussion among those pushing for sustainable tech. There's also skepticism as to how long devices should realistically be updated for, with some questioning the usefulness of five-year+ support.

However, shedding light on the actual usage of mobile devices makes it clear that the longer the support, the better — for both security and sustainability. As such, we asked consumers how long they are using their smartphones.

Security updates for many phones under $500 only last two years, yet 56% of consumers used their previous phone for longer. While premium phones typically have five years' support, more than 5% reported that they kept their previous phone longer — beyond the support of any phone available at the time. This also doesn't take into account how late after release the consumer is buying it; if you bought a Samsung Galaxy S22 Ultra now, you'd get a little over three years of support. If you bought a refurbished iPhone 11, you'd get under 1 year. This is effectively stifling a growing second-hand phone market — and leaving those devices potentially vulnerable.

Currently the only phones to offer more than five years of guaranteed security updates are the Google Pixel 8 and Pixel 8 Pro (seven years) and the Fairphone 5 (eight years). Longer updates can help to slow replacement and production rates, effectively keeping working phones in consumers' hands for longer. By reducing phone production, it drastically reduces the environmental impacts of the smartphone industry.

    

Source: Omdia

**Who's Responsible?**

Fifty percent of consumers believe it should be the operating system developer (either Apple or Google) that is responsible for the security of their smartphone. However, how long a phone is supported is primarily down to the device maker and its negotiations with the chipset maker.

Apple and Google are in the unique position of making their own chip, device, and operating system. They are, therefore, their own arbiters. This is likely how Google can commit to seven years — but for Samsung and other Android brands, it would be a more complex process.

Ultimately, regulatory pressure, discussed below, will put mandatory security requirements on device manufacturers, and in some cases importers and distributors, to ensure device update transparency.

    

Source: Omdia

**Security Is a Key Purchase-Driver**

Consumers have security top-of-mind when considering their next phone. Forty-six percent confirmed better security features would be a purchase driver, while just 7% said no.

Sixty-nine percent of survey respondents said good security features were critical or important when deciding which smartphone to purchase, although this is second to key hardware specs such as long battery life, durability, and processor speed. When comparing two similar phones, security and brand trust could become the most important and deciding factor.

**Governments, Policymakers and Standards Bodies Must Step In**

There has historically been a lack of standardization and transparency from equipment manufacturers on security measures for their devices. As a result, governments and standards bodies are developing standards to define baseline requirements, defining product labels to increase consumer visibility and choice, and eventually mandating minimum security requirements.

For example, while Apple has historically given five years of support, it's not transparent at launch; if you just bought a new iPhone 15, you have no official commitment from Apple that it will be supported for two years or five. But with the UK's Product Security and Telecommunications Infrastructure (PSTI) Act, the support period must be stated at the point of sale, from April 2024.

The UK PSTI is just one example, with guidance and legislation being proposed in the US, EU, China, Japan, Korea, and more. While mobile devices are sometimes out of the scope of IoT legislation and government guidance, the proposed EU Cyber Resilience Act will include operating systems for mobile devices — mandating security updates for at least five years, among other requirements.

All manufacturers of connected devices should prioritize and adopt standards and guidance such as the widely referenced ETSI EN 303 645 (Cybersecurity for Consumer IoT) or TS 103 732 (Consumer Mobile Device Protection Profile) to future-proof for upcoming regulation. Further, although at the current time labelling is voluntary, device makers can and should ensure and empower consumer choice by opting in to labelling and certification schemes.

Tag

#android