Google has released an emergency patch for Android that addresses two zero-day vulnerabilities that the company says could already be used by hackers in real-world attacks. The attacks are possible by escalating privileges on devices and do not require any action from users.
Image source: Mateusz Tworuszka / Unsplash
One of the vulnerabilities, identified as CVE-2024-53197, was identified by Amnesty International experts together with Benoît Sevens, a member of Google’s Security and Threat Intelligence Team. The team tracks cyberattacks that originate from state actors. For example, in February, Amnesty reported that Cellebrite, a company that develops tools for law enforcement agencies, had used a chain of three zero-day vulnerabilities to hack Android devices.
According to TechCrunch, one of these vulnerabilities was used against a Serbian student activist by local authorities using Cellebrite technology. It was this vulnerability that was fixed in a patch released this week. However, the details of the second fixed bug – CVE-2024-53150 – remain unclear. It is only known that its discovery is also attributed to Benoit Sevens, and the problem itself affects the operating system kernel.
In its official statement, Google noted that “the most serious issue is a critical vulnerability in the System component that could lead to remote privilege escalation without requiring additional access rights.” It is also emphasized that exploitation of the vulnerability does not require any action from the user, and he may not even know about what is happening.
Google said the source code for fixing the two vulnerabilities would be published within 48 hours of the security bulletin being released, and also stressed that its partners — Android device makers — traditionally receive information about such problems at least a month before the public release of updates.
It is also noted that since the Android operating system is based on open source code, each phone manufacturer will now have to independently distribute updates to its users.