On Monday, Google released an update for Android that fixes two zero-day vulnerabilities that the company says “could be exploited for limited, targeted purposes.” This means that Google is aware that hackers have used and may still be using these bugs to compromise Android devices in the real world.
One of the two zero-day patches, which is tracked as CVE-2024-53197, was discovered by Amnesty International in collaboration with Benoit Sevens of the Google Threat Analysis Group, the tech giant’s security team that tracks government-backed cyberattacks.
In February, Amnesty said it had discovered that Cellebrite, a company that sells phone unlocking and forensic analysis devices to law enforcement agencies, had used a chain of three zero-day vulnerabilities to hack into Android phones.
In this case, Amnesty found that the vulnerabilities, including the one patched on Monday, were used against a Serbian student activist by local authorities armed with Cellebrite.
Little is known about the second vulnerability, CVE-2024-53150, patched on Monday, except that its discovery is also attributed to Google’s “seven” and that the flaw was found in the kernel, i.e., the core of the operating system.
Google did not immediately respond to a request for comment.
Amnesty spokeswoman Hajira Maryam said the nonprofit organization had nothing to share at this time.
In its announcement, the tech giant noted that “the most serious of these issues is a critical security vulnerability in a system component that could lead to remote privilege escalation without additional execution privileges,” and that “no user interaction is required to exploit it.”
Google said it would release source code fixes for the two fixed zero days within 48 hours of notification, and also noted that Android partners “are notified of all issues at least a month in advance of publication.”
Given the open nature of Android, every phone manufacturer must now release patches for its users.
