On Monday, Google rolled out an update for Android that addresses two critical zero-day vulnerabilities that were “under limited, targeted exploitation,” according to the company. This means that hackers have been actively using these vulnerabilities to compromise Android devices in real-world attacks.
Vulnerabilities Identified and Patched
The first of these flaws, tracked as CVE-2024-53197, was discovered by Amnesty International in partnership with Benoît Sevens from Google’s Threat Analysis Group, which monitors government-backed cyberattacks. In February, Amnesty reported that Cellebrite, a company known for providing law enforcement agencies with tools to unlock and analyze phones, had been exploiting a chain of three zero-day vulnerabilities to gain unauthorized access to Android devices.
One of these vulnerabilities was used against a Serbian student activist, with local authorities leveraging Cellebrite’s tools to exploit the flaw. The second vulnerability, CVE-2024-53150, which was also patched on Monday, was found in the Android kernel—the core component of the operating system. However, details on this second flaw are scarce, and Google has yet to provide additional information.
Google’s advisory emphasized the seriousness of these vulnerabilities, describing one as a “critical security vulnerability” in the System component, which could allow for remote privilege escalation without any additional execution privileges needed. Importantly, user interaction is not required for exploitation, making the flaw particularly dangerous.
Google has stated that patches for the two fixed zero-days will be available to Android partners within 48 hours of the advisory, ensuring that they can distribute the updates to their users. Android’s open-source nature means that device manufacturers are responsible for rolling out the patches to their customers.
Author’s Opinion
While the quick response from Google in addressing these vulnerabilities is commendable, the fact that they were actively exploited highlights the ongoing security challenges in the Android ecosystem. Zero-day vulnerabilities, especially ones that don’t require user interaction to be exploited, are a critical issue, and the reliance on manufacturers to distribute patches leaves a lot of room for delays and inconsistency. Users should be aware of the importance of keeping their devices updated and manufacturers should improve the speed and reliability of their patching systems to avoid future exploits.
Featured image credit: Engin Akyurt via Pexels
Follow us for more breaking news on DMR