Google Patches Android Zero-Day Exploits - Security Update

Google Addresses Critical Android Zero-Day Vulnerabilities

An update was issued by Google on Monday to resolve two zero-day security flaws. These vulnerabilities were potentially being exploited in a limited and targeted manner, according to the company’s statement.

This indicates that Google had knowledge of active exploitation of these bugs by malicious actors, potentially compromising Android devices in real-world attacks.

Details of the Vulnerabilities

The first zero-day, identified as CVE-2024-53197, was discovered through a collaborative effort between Amnesty International and Benoît Sevens from Google’s Threat Analysis Group. This group specializes in tracking government-sponsored cyberattacks.

Amnesty International previously reported in February that Cellebrite, a provider of digital forensics tools to law enforcement, was leveraging a sequence of three zero-day vulnerabilities to gain access to Android phones.

Specifically, the research revealed that these vulnerabilities, including the one addressed in Monday’s update, were utilized against a student activist in Serbia by local authorities using Cellebrite technology.

Limited Information on Second Vulnerability

Less information is currently available regarding the second vulnerability, CVE-2024-53150, which was also patched on Monday.

Its discovery is also credited to Benoît Sevens of Google’s security team, and the flaw resides within the kernel, the fundamental core of the Android operating system.

Google has not yet provided a public response to requests for further clarification.

A spokesperson for Amnesty International, Hajira Maryam, indicated that the organization has no additional information to share at this time.

Severity and Patch Distribution

According to Google’s security advisory, the most critical issue is a vulnerability within the System component. This flaw allows for remote escalation of privilege without requiring any additional execution permissions.

Importantly, user interaction is not necessary for successful exploitation of this vulnerability.

Google has stated that source code patches for both zero-days will be distributed within 48 hours of the advisory’s release.

Furthermore, Android partners were notified of these issues at least one month prior to public disclosure.

Manufacturer Responsibility

Due to Android’s open-source nature, each phone manufacturer is now responsible for deploying the necessary patches to their respective users.

This ensures that the security updates reach a broad range of Android devices.

This report has been updated to include a statement from Amnesty International.