Google has released an update for Android to fix two zero-day flaws that have been exploited in targeted attacks, according to a recent advisory. The tech giant warned that the vulnerabilities, tracked as CVE-2024-53197 and CVE-2024-53150, "may be under limited, targeted exploitation," indicating that hackers have been using them to compromise Android devices in real-world scenarios.

One of the patched zero-days, CVE-2024-53197, was identified by Amnesty International in collaboration with Benoît Sevens of Google's Threat Analysis Group. In February, Amnesty revealed that Cellebrite, a company that sells devices to law enforcement for unlocking and forensically analyzing phones, was exploiting a chain of three zero-day vulnerabilities to hack into Android phones. The vulnerability was used against a Serbian student activist by local authorities armed with Cellebrite.

The second vulnerability, CVE-2024-53150, was also discovered by Sevens and is located in the kernel, the core of an operating system. However, details about this flaw are scarce, with Google and Amnesty declining to comment. Google's advisory notes that the most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed, and that user interaction is not needed for exploitation.

The update highlights the importance of timely security patches, particularly for Android devices. As an open-source operating system, Android relies on its partners to push patches to their users. Google said it would release source code patches for the two fixed zero-days within 48 hours of the advisory, and that Android partners were notified of all issues at least a month before publication. This means that every phone manufacturer must now push patches out to their own users to protect them from these vulnerabilities.

The exploitation of these zero-days by law enforcement agencies raises concerns about the use of hacking tools and the potential for abuse. Cellebrite's involvement in the hacking of the Serbian student activist's phone highlights the need for greater transparency and accountability in the use of such tools. The incident also underscores the importance of robust security measures and regular software updates to protect against these types of threats.

Google's swift response to patching these vulnerabilities is a positive step towards ensuring the security of Android users. However, the incident serves as a reminder of the ongoing cat-and-mouse game between hackers and security teams. As the use of zero-day exploits continues to rise, it is essential for tech companies, governments, and users to work together to stay ahead of these threats and protect against potential abuses.