Google’s Pixel update had a nasty sting in its tail this month. Buried in amongst dozens of important and run rate updates and Android’s quarterly feature drop, was CVE-2024-32896. This high-severity firmware vulnerability, Google warned, “may be under limited, targeted exploitation.”
Google provided little detail on this zero-day—more on that below, but the U.S. government has stepped in and ordered federal employees to update their Pixel devices before July 4 “or discontinue use of the product.” That gives you just ten days to act. The warning is directed at government agencies, but other enterprises should do the same and mandate full employee compliance. Personal users should also take heed, especially if they connect their devices to any enterprise systems.
The US government warning comes by way of its Known Exploited Vulnerabilities (KEV) catalog, managed by CISA—the Cybersecurity and Infrastructure Security Agency. “Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation,” it simply says in its advisory.
While Google has not provided further details on the zero-day vulnerability, GrapheneOS has said this is the second part of a fix for vulnerabilities it reported in April, which are “being actively exploited in the wild by forensic companies.”
Worryingly, the firm also says that this isn’t just a Pixel issue. “It’s fixed on Pixels with the June update (Android 14 QPR3) and will be fixed on other Android devices when they eventually update to Android 15. If they don’t update to Android 15, they probably won’t get the fix, since it has not been backported.”
Given that the exploited vulnerability has made its way onto CISA’s KEV catalog, it’s unclear what owners of other Android devices—which potentially have the risk with no immediate mitigation—should do. We await anything further on this.
GrapheneOS describes the two vulnerabilities as “memory not wiped when booting firmware-based fastboot mode, allowing exploiting it to get previous OS memory; [and] AOSP device admin API depends on reboot-to-recovery to wipe before Android 14 QPR3,” warning that “neither issue is being fixed outside Pixels yet.”
Google’s June update came the same week as a report into the dangers of Play Store freeware, and days after Zscaler warned it had “identified and analyzed more than 90 malicious applications uploaded to Play store… with over 5.5 million installs.”
And then this week, the cyber team at Check Point warned of an Android trojan—Rafel—that had been detected in at least 120 malicious campaigns. And while this mainly targeted older, unsupported devices, “users of current Android versions should be concerned, this threat is capable of infecting a wide range of Android versions, from the oldest unsupported versions to the most recent ones.”
All told, an alarming backdrop for Android users. CISA’s mandate should be taken seriously by all Pixel owners and they should update before the July 4 holidays, if not already. The download should be automatic, and a reboot will ensure it fully installs. Instructions on how to check your Pixel device has updated can be found here.