On Monday, Google rolled out a security update for Android two serious zero-day bugs, meaning flaws that were actively being exploited by hackers before a fix was available. Google confirmed that both bugs were already being used in real-world attacks, though likely in a limited and targeted manner.
One of the vulnerabilities, labeled CVE-2024-53197, was discovered by Amnesty International working alongside Google’s Threat Analysis Group (TAG). TAG is the team responsible for monitoring cyberattacks, especially those believed to be state-sponsored.
This flaw came to light after an alarming discovery earlier this year. In February, Amnesty reported that Cellebrite, a well-known provider of digital forensics tools used by law enforcement, was exploiting a chain of three zero-day vulnerabilities to break into Android phones. One of these vulnerabilities was the one Google just patched. According to Amnesty, this chain of exploits was used by Serbian authorities to spy on a student activist raising concerns about digital surveillance and misuse of powerful hacking tools by governments.
The second vulnerability, CVE-2024-53150, is less well-documented at the moment. We do know it was found in the Android kernel the core part of the operating system and also discovered by Google’s Benoît Sevens. Kernel vulnerabilities are particularly dangerous because they can give attackers deep control over the device.
In its security bulletin, Google described the more critical of the two flaws as a “remote escalation of privilege” issue that requires no user interaction and no additional permissions meaning a device could potentially be compromised without the user even knowing.
Other articles you may find interesting
As part of their standard procedure, Google has promised to push the patch’s source code within 48 hours, though they noted that Android partners (like Samsung, Xiaomi, and others) were notified about the issues at least a month in advance.
However, due to Android’s open-source nature and the fragmentation of the ecosystem, it’s now up to each individual phone manufacturer to release these patches to users. That means some devices may get protected quickly, while others especially older or lower-priority models could remain vulnerable for some time.
- Zero-day vulnerabilities are among the most valuable types of security flaws for attackers, often selling for hundreds of thousands of dollars on the black market. They are especially prized for spying and surveillance purposes.
- Cellebrite, the company linked to these attacks, has long been controversial for selling its phone-unlocking tools to law enforcement agencies around the world. Critics say its technology can be misused by repressive regimes to target journalists, activists, or dissidents.
- Android fragmentation remains a challenge. While Google’s Pixel phones typically receive security updates quickly, devices from other brands may take weeks or even months, if they get updated at all.
If you’re an Android user, make sure your phone is running the latest security update. You can check this by going to Settings > Security > Security update. And if your device is no longer receiving updates, it might be time to consider an upgrade, especially given how sophisticated mobile threats are becoming.
