On Monday, Google took a significant step in bolstering Android security by releasing an update that addresses two critical zero-day vulnerabilities. These flaws, which the company described as potentially subject to “limited, targeted exploitation,” indicate that cybercriminals may have already been leveraging these weaknesses to compromise Android devices in real-world scenarios.
Details of the Vulnerabilities
Among the vulnerabilities patched in this update, CVE-2024-53197 stands out. This particular flaw was uncovered through a collaboration between Amnesty International and Benoît Sevens from Google’s Threat Analysis Group, a team dedicated to monitoring government-backed cyber threats.
Earlier this year, Amnesty International revealed that Cellebrite, a firm specializing in tools for law enforcement to unlock and analyze mobile devices, had exploited a series of three zero-day vulnerabilities to gain unauthorized access to Android phones. This alarming revelation highlighted the potential for misuse of such vulnerabilities by authorities.
In a specific case, Amnesty documented the use of these vulnerabilities against a Serbian student activist, who was targeted by local authorities utilizing Cellebrite’s technology.
The second vulnerability, CVE-2024-53150, also patched in the recent update, remains shrouded in less detail. It was similarly identified by Sevens and is rooted within the kernel, the foundational component of the operating system.
Google’s advisory emphasized the severity of the vulnerabilities, noting that the most critical issue could allow for remote privilege escalation without requiring additional execution privileges or user interaction for exploitation. This underscores the urgency of the update.
In a proactive measure, Google announced that it would release source code patches for both vulnerabilities within 48 hours of the advisory. Furthermore, the company noted that Android partners are informed of such issues at least a month prior to public disclosure, ensuring that manufacturers can prepare necessary updates for their users.
Given the open-source nature of Android, it is now incumbent upon each phone manufacturer to implement these patches and distribute them to their respective user bases, reinforcing the collective responsibility for device security.
This story was updated to include Amnesty’s response.
