One of the two vulnerabilities, tracked as CVE-2024-53197, was discovered with the help of Amnesty International in collaboration with Benoit Sevens from Google’s Threat Analysis Group, which focuses on tracking state-sponsored cyber activity.
Earlier in February, Amnesty had reported that the digital forensics company Cellebrite, known for supplying mobile unlocking tools to law enforcement, had been exploiting three separate Android zero-day flaws to hack into phones. One of these, which Google patched this week, had reportedly been used by local authorities in Serbia to target a student activist.
Details about the second vulnerability, CVE-2024-53150, are scarce. It was also discovered by Sevens and was located in the core of the Android operating system’s kernel—making it a potentially serious threat.
Google has not yet responded to media requests for comment on the matter.
Amnesty International spokesperson Hajera Maryam stated that the nonprofit currently has no additional information to share.
In its advisory, Google described one of the vulnerabilities as a critical system-level security flaw that could allow remote privilege escalation without requiring user interaction or additional privileges—making it especially dangerous.
Google noted that source code patches for both zero-day flaws would be released within 48 hours of the advisory. It also confirmed that Android partners were notified at least one month in advance of the public disclosure.
Given Android’s open-source structure, it's now up to individual device manufacturers to distribute the patches to their users.
Posts
0 Comments