On Monday, Google released an update for Android that fixes two zero-day flaws that “may be under limited, targeted exploitation,” as the company put it. That means Google is aware that hackers have been and may still be using the bugs to compromise Android devices in real-world scenarios.
One of the two now-fixed zero-days, tracked as CVE-2024-53197, was identified by Amnesty International in collaboration with Benoît Sevens of Google’s Threat Analysis Group, the tech giant’s security team that tracks government-backed cyberattacks.
In February, Amnesty said it had found that Cellebrite, a company that sells devices to law enforcement for unlocking and forensically analyzing phones, was taking advantage of a chain of three zero-day vulnerabilities to hack into Android phones.
Contact Us
Do you have more information about Android zero-days? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
In this case, Amnesty found the vulnerabilities, including the one patched on Monday, being used against a Serbian student activist by local authorities armed with Cellebrite.
There isn’t a lot of information, however, on the second vulnerability, CVE-2024-53150, patched on Monday, other than the fact that its discovery was also credited to Google’s Sevens and that the flaw was found in the kernel, the core of an operating system.
Google did not immediately respond to a request for comment.
Amnesty spokesperson Hajira Maryam said the non-profit did not have anything to share at this point.
The tech giant said in its advisory that “the most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed,” and that, “user interaction is not needed for exploitation.”
Google said that it would push source code patches for the two fixed zero-days within 48 hours of the advisory, while also noting that Android partners are “notified of all issues at least a month before publication.”
Given Android’s open source nature, every phone manufacturer now has to push patches out to their own users.
This story was updated to include Amnesty’s response.
