Google has revealed the detection of two Android zero-day security vulnerabilities in its Pixel smartphones, with patches already available as per the recent Pixel Update Bulletin. Even more concerning, the flaw is already being exploited in targeted attacks.
Two Android zero-day vulnerabilities exploited in targeted attacks
In a recent announcement, Google disclosed the detection of two zero-day security vulnerabilities in its Pixel smartphones.
The first vulnerability, CVE-2024-29745 (CVSS 7.2), pertains to an information disclosure flaw in the bootloader component, potentially compromising data confidentiality.
The second vulnerability, CVE-2024-29748, involves a privilege escalation flaw in the firmware component, enabling unauthorized access and control over the device.
According to Google’s advisory, these vulnerabilities were addressed on April 2, 2024. However, the original discovery occurred in early January 2024 by GrapheneOS developers. Fortunately, they are subject to limited, targeted exploitation, reducing the risk of widespread exploitation. Nonetheless, Google urges all Pixel smartphone users to update their devices to the latest software version promptly.
Although Google has not provided specifics on the attacks, GrapheneOS developers have indicated active exploitation of this flaw. Moreover, CISA has updated its Known Exploited Vulnerabilities Catalog to reflect the current exploitation of these vulnerabilities.
CVE-2024-29745 is associated with a vulnerability in the fastboot firmware, which facilitates various device states such as unlocking, flashing, and locking. Threat actors can exploit this flaw to access the devices’ memory without privileges or user interaction.
CVE-2024-29748 enables circumvention of factory resets initiated by apps using the device admin API, potentially halting the reset process with physical interaction required. While Google has partially addressed the issue, GrapheneOS notes that cutting power to the device can still disrupt the reset, prompting them to develop a more comprehensive solution involving a stronger duress PIN/password feature and a secure “panic wipe” action executable without rebooting.
Recommendations
As cyber threats become more sophisticated, users must verify their devices have the latest software version manually. Staying informed about security updates and best practices is crucial for safeguarding digital assets. Google’s disclosure underscores the ongoing battle for cybersecurity and the necessity for continuous improvement in defense mechanisms to protect personal information.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment