Google has patched severe Android vulnerabilities, some of which could allow attackers to gain control of a device without user interaction or execution privileges. Two zero-day vulnerabilities have already been exploited to unlock phones.
Owners of outdated or no longer supported Android devices should beware – attackers have open doors to them.
The monthly Android Security Bulletin details fixes for 62 vulnerabilities across Android devices, and a few of them are especially dangerous.
The critical vulnerabilities were found and fixed in the Android framework, a set of core software components that sit on top of the Linux kernel, the Android system, and Qualcomm components.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation,” Google’s advisory reads.
Additionally, Google warns that hackers are already exploiting two high-severity vulnerabilities affecting the Linux Kernel, specifically the Advanced Linux Sound Architecture (ALSA) USB audio driver.
The first one, labeled CVE‑2024‑53150, affects the USB-handling part of the OS.
“The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads,” the explanation reads.
Another similar out-of-bound flaw also affects the USB-audio driver and is labeled CVE-2024-53197.
These high-severity zero-days were exploited by Israeli digital forensics company Cellebrite, which enabled Serbian authorities to unlock confiscated Android devices, Bleeping Computer reports.
All Android partners were informed a month before the 62 addressed Android flaws were published. Google assures that exploitation of many Android issues is made more difficult by enhancements in newer Android platforms. Google Play Protect actively warns users about potentially harmful applications and is enabled by default.
“We encourage all users to update to the latest version of Android where possible,” Google said.
Your email address will not be published. Required fields are markedmarked