New Android warning for all users
Google has warned that Android is under attack — again. The security release for this month fixes two actively exploited vulnerabilities, one of which is being released for the second time. We saw a similar warning last month, as the Android threat landscape continues to struggle against forensic and other attacks. Now users have a 2o day timeline — until March 25th — to update or stop using their phones.
That warning comes by way of the U.S. cyber defense agency, whose database of Known Exploited Vulnerabilities provides a mandatory order for federal staff and a strong recommendation for other organizations, given its remit to keep America cyber secure. As I said when Google confirmed the latest attacks, a CISA update order is inevitable.
The update mandate covers CVE-2024-50302, which risks a memory leak when a peripheral is connected to a device. The good news is that this requires physical proximity to a phone, the bad news is that is a kernel threat that could lead to a privilege escalation providing data and device access to an attacker.
The second of the critical fixes this month is the more interesting. CVE-2024-43093, CISA warns, this is “an unspecified vulnerability that allows for privilege escalation” in Android’s core framework. It has also added this to its active attack database, but it did so in November, when Google fixed this the first time around.
Update deadline
CVE-2024-50302 was included in an Amnesty International statement about an alleged attack on a Serbian activist earlier in the year. In its release last month, the organization warned that while the vulnerability has“been patched upstream in the Linux kernel but have not yet been included in an Android Security Bulletin.” That’s now fixed.
Amnesty says that a forensic analysis of the device “found clear evidence of exploitation which Amnesty International can confidently attribute to the use of Cellebrite’s UFED product. The logs also show that the Cellebrite product enabled the authorities to successfully gain privileged root access to the phone and to unlock the device.”
In response, Cellebrite has said that “after a review of the allegations brought forth by the December 2024 Amnesty International report, Cellebrite took precise steps to investigate each claim in accordance with our ethics and integrity policies. We found it appropriate to stop the use of our products by the relevant customers at this time.”
For Android users, these are vulnerabilities you want to lock down as soon as you can. Pixel users will see this update made available within days, while we still await timing from Samsung on the new vulnerability, albeit the November fix has been reissued.