Wednesday, November 6, 2024

Your Android device is vulnerable to attack and Google's fix is imminent

Must read

Jack Wallen/ZDNET

If you follow the Android Security Bulletin, then you might have noticed a listing for the November security patch level that includes two critical vulnerabilities, which are:

  • CVE-2024-43047
  • CVE-2024-43093

According to the bulletin, “There are indications that the following may be under limited, targeted exploitation.”

Also: An anti-theft upgrade is coming to Android phones. Here’s how to see if you have it yet

The first of those vulnerabilities, CVE-2024-43047, is described as “memory corruption while maintaining memory maps of HLOS memory.” CVE-2024-43047 affects the Qualcomm Digital Signal Processor (DSP) service, which impacts several Qualcomm chipsets and can lead to memory corruption and enable attackers to escalate privileges and compromise affected devices. 

Qualcomm issued a patch for this vulnerability back in October, and it has been included in the November Android Security Update to provide wider distribution and remediation.

The second CVE issue is 2024-43093, which is an escalation of privilege vulnerability that affects Android’s framework component in versions 12, 13, 14, and 15 and can lead to exposing a significant portion of Android to attack.

Google will be issuing two patch levels:

  • The November 1 patch level targets the core Android components (including the framework and system).
  • The November 5 patch level addresses the issues with Qualcomm chipsets, as well as MediaTek, Imagination Technologies, and more.

What this means is that your Android device will not be safe from these vulnerabilities until the November 5 patch level is applied.

Also: A simple idea that could make Android more secure

After a quick check of my Pixel 9 Pro (running Android 15), I’m still on the October 5 patch level, which means my device is still vulnerable.

What you can do

Given that Google has yet to make the November 1 patch level available, the only thing you can do is keep checking for a system update. To do that on Android 15, go to Settings > System > “Software updates” and check to see what patch level your device is running. If it’s out of date, tap “System update” and then tap “Check for update.” As soon as an update becomes available, apply it.

The Android 15 update page.

My Pixel 9 Pro is behind on the updates.

Screenshot by Jack Wallen/ZDNET

If you only get the November 1 patch level added, keep checking daily for the November 5 patch level and apply it as soon as it becomes available. If you leave those patches unapplied, your device will remain vulnerable to these critical issues.

Be safe and always update.

Latest article