Google has disclosed that two Android safety flaws impacting its Pixel smartphones have been exploited within the wild by forensic firms.
The high-severity zero-day vulnerabilities are as follows –
- CVE-2024-29745 – An info disclosure flaw within the bootloader part
- CVE-2024-29748 – A privilege escalation flaw within the firmware part
“There are indications that the [vulnerabilities] may be under limited, targeted exploitation,” Google mentioned in an advisory printed April 2, 2024.
Whereas the tech big didn’t reveal every other details about the character of the assaults exploiting these shortcomings, the maintainers of GrapheneOS mentioned they “are being actively exploited in the wild by forensic companies.”
“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking,” they mentioned in a collection of posts on X (previously Twitter).
“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”
GrapheneOS famous that CVE-2024-29748 may very well be weaponized by native attackers to interrupt a manufacturing unit reset triggered by way of the gadget admin API.
The disclosure comes greater than two months after the GrapheneOS workforce revealed that forensic firms are exploiting firmware vulnerabilities that affect Google Pixel and Samsung Galaxy telephones to steal information and spy on customers when the units should not at relaxation.
It additionally urged Google to introduce an auto-reboot function to make exploitation of firmware flaws harder.