On Monday, Google released an update for Android. This fixed two zero-day flaws “may be under restricted, targeted exploitation.” This means that Google is aware that hackers are using bugs to compromise Android devices in real-world scenarios.
One of the two zero-days tracked as CVE-2024-53197 was identified by Amnesty International in collaboration with Benoît Sevens, a security team at Google's Threat Analysis Group, a government-sponsored cyberattacks tracking.
In February, Amnesty said it discovered Cellebrite, a company that unlocks its phone and sells its devices to law enforcement, was using three 0-day chains of vulnerabilities to hack it into Android phones.
Contact Us Is there any more information about Android Zero Day? From non-work devices, you can safely contact Lorenzo Franceschi-Bicchierai with a signal of +1 917 257 1382, via Telegram and Keybase @lorenzofb, or send an email. You can also contact TechCrunch via SecureDrop.
In this case, Amnesty discovered the vulnerability, including one patched on Monday, and was being used by local authorities armed with Serbrite by Serbrite.
However, there is not much information about the second vulnerability, CVE-2024-53150. This is a credit to Google's Seven for its discovery, and it patched on Monday, except for the fact that the flaw was found in the kernel, the core of the operating system.
Google and Amnesty did not respond immediately to requests for comment.
“The most serious of these issues are critical security vulnerabilities in system components that can lead to remote escalation of privileges without requiring additional execution privileges,” Tech Giant said in the advisory.
Google pushed two fixed zero-day source code patches within 48 hours of the advisory, while also noting that Android partners “were notified of all issues at least one month prior to publication.”
Given the open source nature of Android, every phone maker needs to push the patch out on their users.