On Monday, Google launched an replace for Android that fixes two zero-day flaws that “could also be underneath restricted, focused exploitation,” as the corporate put it. Which means Google is conscious that hackers have been and should be utilizing the bugs to compromise Android units in real-world eventualities.
One of many two now-fixed zero-days, tracked as CVE-2024-53197, was recognized by Amnesty Worldwide in collaboration with Benoît Sevens of Google’s Menace Evaluation Group, the tech big’s safety staff that tracks government-backed cyberattacks.
In February, Amnesty mentioned it had discovered that Cellebrite, an organization that sells units to legislation enforcement for unlocking and forensically analyzing telephones, was profiting from a sequence of three zero-day vulnerabilities to hack into Android telephones.
Contact Us
Do you could have extra details about Android zero-days? From a non-work gadget, you possibly can contact Lorenzo Franceschi-Bicchierai securely on Sign at +1 917 257 1382, or by way of Telegram and Keybase @lorenzofb, or e mail. You can also contact TechCrunch by way of SecureDrop.
On this case, Amnesty discovered the vulnerabilities, together with the one patched on Monday, getting used towards a Serbian scholar activist by native authorities armed with Cellebrite.
There isn’t numerous info, nonetheless, on the second vulnerability, CVE-2024-53150, patched on Monday, apart from the truth that its discovery was additionally credited to Google’s Sevens and that the flaw was discovered within the kernel, the core of an working system.
Google didn’t instantly reply to a request for remark.
Amnesty spokesperson Hajira Maryam mentioned the non-profit didn’t have something to share at this level.
The tech big mentioned in its advisory that “probably the most extreme of those points is a crucial safety vulnerability within the System part that would result in distant escalation of privilege with no further execution privileges wanted,” and that, “consumer interplay will not be wanted for exploitation.”
Google mentioned that it could push supply code patches for the 2 mounted zero-days inside 48 hours of the advisory, whereas additionally noting that Android companions are “notified of all points a minimum of a month earlier than publication.”
Given Android’s open supply nature, each cellphone producer now has to push patches out to their very own customers.
This story was up to date to incorporate Amnesty’s response.
