Google has confirmed two zero-day vulnerabilities are being actively exploited in the wild, according to the company’s latest security bulletin. The flaws, tracked as CVE-2024-43093 and CVE-2024-43047, impact the Android operating system and Qualcomm chipsets respectively. CVE-2024-43093 is described as a privilege escalation flaw in the Android Framework component that could allow unauthorized access to “Android/data,” “Android/obb,” and “Android/sandbox” directories and their sub-directories.
Google has not provided further details on how the vulnerability is being weaponized in real-world attacks. The second vulnerability, CVE-2024-43047, is a use-after-free bug in Qualcomm’s Digital Signal Processor (DSP) Service that could lead to memory corruption if successfully exploited. Qualcomm confirmed fixes for this flaw had been made available to customers as of September 2024.
Google’s Threat Analysis Group and Amnesty International’s Security Lab both flagged the exploitation of the Qualcomm vulnerability.
Android flaw affects multiple directories
The human rights group’s involvement suggests a possible link to state-backed hacking or surveillance activities, although specific victims have not been disclosed.
Pixel users are urged to install the security update as soon as it becomes available on their devices. However, some users have reported issues with loading apps after installing the update, attributed to a potential clash between Android 15 and a Google Play update. Kern Smith, vice president of global sales engineering at mobile cybersecurity firm Zimperium, emphasized the increasing trend of attackers targeting mobile devices to infiltrate corporate data and exploit supply chains.
He noted that mobile devices face similar challenges as other endpoints, especially when they are integral to both personal and professional lives. The security bulletin reported fixes for a total of 44 CVEs. Google has not released further details on the vulnerabilities at this stage to allow users the opportunity to update their devices first.