Google rolled out a security update for Android addressing two zero-day vulnerabilities that, according to the company, “may be under limited, targeted exploitation.” This indicates that hackers have already been using — or may still be using — these flaws to infiltrate Android devices in real-world attacks.
One of the patched zero-days, identified as CVE-2024-53197, was discovered through a joint effort by Amnesty International and Benoît Sevens from Google’s Threat Analysis Group, the team responsible for monitoring state-sponsored cyber threats.
Earlier in February, Amnesty reported that Cellebrite — a firm that provides digital forensics tools to law enforcement — had exploited a trio of previously unknown vulnerabilities to break into Android smartphones. Among those was the flaw fixed in Monday’s update, which was allegedly used against a Serbian student activist by authorities equipped with Cellebrite technology.
Details about the second flaw, labeled CVE-2024-53150, remain scarce. Google’s Sevens is also credited with its discovery, and the vulnerability is known to affect the kernel, which is the central part of the Android operating system.
Google has yet to issue an official comment. Meanwhile, an Amnesty International spokesperson, Hajira Maryam, stated the organization has no further comment at this time.
In its security advisory, Google described the more severe of the two vulnerabilities as a critical issue in the System component, capable of remote privilege escalation without requiring user interaction or additional execution rights.
The company plans to release the source code fixes for both vulnerabilities within 48 hours of the advisory. It also noted that Android device partners were informed of these issues at least a month in advance.
Due to Android’s open-source structure, each device manufacturer is responsible for distributing the security patches to their users.
This site uses Google AdSense ad intent links. AdSense automatically generates these links and they may help creators earn money.