On Monday, Google launched an replace for Android that fixes two zero-day flaws that “could also be below restricted, focused exploitation,” as the corporate put it. Which means Google is conscious that hackers have been and should still be utilizing the bugs to compromise Android units in actual world eventualities.
One of many two now-fixed zero-days, tracked as CVE-2024-53197, was recognized by Amnesty Worldwide in collaboration with Benoît Sevens of Google’s Risk Evaluation Group, the tech big’s security crew that tracks government-backed cyberattacks..
In February, Amnesty mentioned it had discovered that Cellebrite, an organization that sells units to legislation enforcement for unlocking and forensically analyzing telephones, was benefiting from a series of three zero-day vulnerabilities to hack into Android telephones.
Contact Us
Do you could have extra details about Android zero-days? From a non-work gadget, you’ll be able to contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram and Keybase @lorenzofb, or e mail. You can also contact information.killnetswitch by way of SecureDrop.
On this case, Amnesty discovered the vulnerabilities, together with the one patched on Monday, getting used towards a Serbian scholar activist by native authorities armed with Cellebrite.
There isn’t a number of data, nonetheless, on the second vulnerability, CVE-2024-53150, patched on Monday, apart from the truth that its discovery was additionally credited to Google’s Sevens and that the flaw was discovered within the kernel, the core of an working system.
Google didn’t instantly reply to a request for remark.
Amnesty spokesperson Hajira Maryam mentioned the non-profit didn’t have something to share at this level.
The tech big mentioned in its advisory that “probably the most extreme of those points is a crucial security vulnerability within the System element that might result in distant escalation of privilege with no extra execution privileges wanted,” and that, “consumer interplay is just not wanted for exploitation.”
Google mentioned that it could push supply code patches for the 2 fastened zero-days inside 48 hours of the advisory, whereas additionally noting that Android companions are “notified of all points not less than a month earlier than publication.”
Given Android’s open supply nature, each cellphone producer now has to push patches out to their very own customers.
This story was up to date to incorporate Amnesty’s response.
