Thanks for the quick reply.
The reason why I ask is because I read online that Apple recently issued a software update for a malware download. One doesn't need to download the new malware to the iPhone. Somehow it is downloaded to the owner's phone without the owner being aware that the phone is infected with malware.
Yes, this was a patch for a security flaw in iMessage that was being exploited by the Pegasus spyware to allow zero click infection. So that particular exploit will never affect Android, because only iDevices can run iMessage, but of course that doesn't mean that others exploits won't appear for Android.
It had in fact been used by the developers of this spyware for several years without Apple being aware (which you might argue is an illustration of the closed-source "security through obscurity" model's weakness). It was only when some press organisations got access to data that showed how it was being used (by the spyware company's clients, all national governments, to target inconvenient people like opposition politicians, journalists, human rights activists, etc) and the story made headlines that Apple became aware and acted.
One day my phone was making a lot of noise. A Verizon app was downloading Chime(you've probably seen the TV commercial) to my phone. I tried to stop the download. I failed. I restarted the phone & the download continued. I had to manually uninstall the app. I disabled the Verizon app. I was mad that the Verizon app downloaded Chime without my permission. I swore that I'd never again get a phone with bloatware.
Sounds entirely fair to me. The worst bloatware providers seem to be service providers such as VZW rather than phone manufacturers, so part of my solution is never to buy a phone through a carrier (though British carriers don't seem to be as bad as many US ones - I have the impression that VZW are about the worst on the planet for this).
I pay off my S10 in March of 2022. Then I want to get a bloatware-free phone. I've never had an iPhone. I do have a Mac mini desktop & a MacBook Air.
That's why I asked the question. I'm wondering how quickly Pixels get software updates after a zero-day attack.
And the answer is basically "as quickly as any Android phone will", since it is Google who provide patches to the Android OS - though, as noted, Samsung have sometimes actually released the patch they receive from Google a couple of days before Google release it themselves. But for an OS fix Samsung, and all other manufacturers, receive the patch from Google; the only case where a manufacturer would be making the patch themselves would be if they introduced a vulnerability via one of their own apps or modifications, and hence it was specific to their devices. Therefore as long as we are talking Android, nobody is going to get the patch significantly faster than a Pixel.
How quick that is will depend on when they find out and how complex it is to fix, so you can't give a definite answer. What usually happens with such vulnerabilities is that they are discovered by a security researcher (or sometimes someone in the company) and the company is warned privately, with the vulnerability only being revealed publicly when a fix is available or imminent. Hence it's hard to say from outside how long this normally takes. Sometimes people go public with information about the vulnerability because they think that the company (Google, Apple, Microsoft, whoever) is taking too long to provide a fix. I've never seen any evidence that one or other of these companies is overall quicker at patching things, but it's hard from the outside to really know (they'll all claim to be the best, but then they would say that...).
The iMessage bug that Pegasus was exploiting was unusual in that as far as I can tell it became known through journalistic investigation rather than security research. Even then I don't know at what point Apple would have known: the story got widespread publicity when a few journalistic organisations who had been investigating this stuff got hold of evidence of how widely it was being used and who was being targetted, but I'd been reading about its existence, and abuse (always denied by the developers), for many months before that, and if I as a private citizen knew of this stuff you'd hope that all of these companies would have someone paying attention to such things, even though there is a difference between knowing that there is a vulnerability and knowing what it is. So I really cannot say when Apple would have known of the iMessage vulnerability, and hence how long it took them to patch it. Of course the patch was rather dramatically rushed out, but by that time there was a story out there that many people were being spied on using a vulnerability in their iPhones, which was a public threat to one of their marketing messages, so they had to be seen to be acting quickly. But that doesn't tell us what they knew and when, and hence how long it took to develop and test the patch - though given that they couldn't possibly risk releasing an insufficiently-tested patch to something like iMessage I doubt that this was a matter of days, no matter what impression they would like to give.
