A new flaw puts nearly a billion phones at risk and shows Android security is still a patchwork mess

Another big security flaw in Android highlights just how messed up the Google ecosystem still is when it comes to security. This one, known as Quadrooter, was disclosed in recent days by security software maker Check Point. Quadrooter affects a whole host of top-end Android devices running one of Qualcomm’s Snapdragon chips. That means hundreds of millions or even a billion devices could be at risk, including top-end models such as the Samsung Galaxy S7, HTC 10 and LG G5 and even Google’s latest Nexus devices and security-focused devices like BlackBerry’s Priv and Silent Circle’s Blackphone.

The problem is there are still so many hands in the pot when it comes to updating Android. Google updates its software, but device makers have to tailor it for their phones — and sometimes they get their software not from Google, but from chipmakers like Qualcomm. And then sometimes mobile carriers want to do their own testing to make sure they aren’t inadvertently introducing other problems onto their network. All that means the time from when a flaw is identified or disclosed to when it is fixed is longer than it should be, sometimes leaving hundreds of millions of phones vulnerable for weeks or months.