The most serious issue, tracked as CVE-2024-53197, is a privilege escalation flaw in the USB-audio driver of the Linux kernel used by Android. According to Google’s security bulletin, it could “lead to remote escalation of privilege with no additional execution privileges needed” and “user interaction is not needed for exploitation.”
The second flaw, CVE-2024-53150, is tied to an “out-of-bound read” in Android’s kernel, which could allow local attackers to access sensitive data without the user’s knowledge. Both vulnerabilities were discovered by Google’s Threat Analysis Group and Amnesty International, and were reportedly exploited by Cellebrite—an Israeli digital forensics firm that supplies data extraction tools to law enforcement.
Used in Real-World Attacks
Amnesty International said it found these vulnerabilities being used to hack into the phone of a Serbian student activist. According to the findings, Cellebrite used the flaws as part of a zero-day exploit chain to break into the locked Android device.
The non-profit’s spokesperson, Hajira Maryam, stated they had no additional comments to share at the moment. Google also declined to provide further detail on how the second vulnerability might have been used.
Google has confirmed that the vulnerabilities are being “under limited, targeted exploitation,” a warning that emphasizes the urgency of the situation. GrapheneOS, a security-focused Android variant, noted that these were “both vulnerabilities for locked devices” and claimed their system “made both far harder to exploit while unlocked.”
Update Rollout and Device Impact
Pixel users are receiving the update first. Google said its partners were notified about these issues at least a month before publication and that source code patches would be released within 48 hours of the advisory.However, due to Android’s fragmented ecosystem, users of other brands like Samsung, OnePlus, or Motorola may have to wait for their respective manufacturers to release the patch. While Samsung was previously criticized for delays in patch rollouts, it has included both CVE-2024-53150 and CVE-2024-53197 in its April update.
Global Warnings and Broader Cybersecurity Concerns
This emergency update coincides with a global alert from several intelligence agencies. The U.K.’s National Cyber Security Centre (NCSC), along with cybersecurity agencies from the U.S., Canada, Germany, Australia, and New Zealand, issued warnings about the use of two spyware tools, MOONSHINE and BADBAZAAR, by threat actors linked to the Chinese state. These tools reportedly “trojanise” legitimate apps to gain access to microphones, cameras, messages, photos, and even location data.
Such tools have been used to target specific communities and civil society organizations, underlining the need for rapid security response.
Security experts advise all Android users to update their devices immediately. If you are using a Pixel phone, the update is already available. Users of other devices should keep checking for updates and install them as soon as they are released.
Additionally, users are encouraged to use reputable antivirus software, avoid clicking on suspicious links, and refrain from opening attachments from unknown sources. While 62 vulnerabilities may seem alarming, it is crucial to note that these issues have now been patched. The biggest risk now lies in users failing to apply the update.