In its report, Google asks whether zero-days are even needed on Android. Typically, a vulnerability would be most concerning before it becomes public. During this (hopefully short) period, an attacker can execute exploits without having to worry about a patch.
In the case of Android, as soon as Google becomes aware of the vulnerability, it is then an n-day flaw, regardless of patch status.
Android patches are just too slow
Google added that in some cases, patches have not been available to users for a significant amount of time across its ecosystem, which it blames on a disconnect between upstream (developer) fixes and the downstream (manufacturer) adoption.
A 2022 report entitled ‘Mind the Gap’ concluded that device vendors should be just as quick to react to patches as end users are advised to be.
A total of 41 zero-days were detected in 2022, down a staggering 40% from the previous year during which 69 had been detected, however with n-day vulnerabilities more exploitable than they should be, attackers have not been subject to the same reduction in attackable surfaces.
At the same time, Google highlighted ineffective patch methods which only serve to fix the exploit method seen being used, rather than the vulnerability as a whole, which it says is not comprehensive and doesn’t constitute a complete patch.
Moving forward, Google clearly places an emphasis on clear communication and collaboration, urging that all parties share as many technical details as possible following detailed analyses.
The company also calls for “fixes and mitigations to [get to] users quickly so that they can protect themselves.”