Google released a critical security update for Android on Monday, addressing two zero-day vulnerabilities that were actively being exploited by hackers in targeted attacks, the company acknowledged.
One of the flaws, identified as CVE-2024-53197, was discovered through cooperation between Amnesty International and Benoît Sevens of Google’s Threat Analysis Group, the unit responsible for tracking sophisticated, often government-backed, cyber-threats. Amnesty International previously revealed in February that Cellebrite, a technology firm providing forensic tools to law enforcement agencies, had leveraged a trio of zero-day exploits to infiltrate Android phones in a real-world attack scenario. In one specific case, local Serbian authorities reportedly utilized Cellebrite’s exploit chain to compromise the Android device of a student activist.
The second vulnerability, tracked as CVE-2024-53150, has been described by Google only in brief terms. It was also credited to Google’s researcher Sevens and is located within Android’s kernel—the fundamental core of the operating system that controls hardware interactions. Google confirmed that this vulnerability allows exploitation without any required user interaction, making it particularly severe.
In its security advisory, Google noted that the most serious of the patched flaws could allow attackers to remotely elevate their privileges, potentially gaining control over vulnerable devices without needing additional execution privileges or user input.
The company plans to make source code updates public within 48 hours of releasing its security bulletin. Android device manufacturers were notified of the vulnerabilities at least one month before Google’s public disclosure, providing time to issue patches for affected users.
Due to Android’s open-source nature, the deployment of these crucial security updates hinges largely on each manufacturer’s speed and responsiveness. Users are strongly encouraged to promptly apply any available security patches provided by their device manufacturers.
