Google has released a critical security update for Android to patch two zero-day vulnerabilities that were actively being exploited. The update, which rolled out on Monday, addresses flaws that the company says may have been used in limited. Targeted attacks against real users.
One of the vulnerabilities, tracked as CVE-2024-53197, was uncovered through a collaboration between Amnesty International and Google’s Threat Analysis Group, led by Benoît Sevens. This particular flaw is notable because it was part of a trio of zero-day exploits that. According to Amnesty, were used by local Serbian authorities to hack the phone of a student activist. The hacking tool in question was reportedly developed by Cellebrite. A company known for supplying phone-cracking devices to law enforcement agencies around the world.
Amnesty first disclosed details of the Cellebrite-linked attack chain in February. The organization revealed that Cellebrite had been leveraging these zero-days to gain unauthorized access to Android phones. Bypassing typical security protocols. Now, with Google officially patching CVE-2024-53197, that threat vector has been closed—at least for devices that install the update.
The second vulnerability, CVE-2024-53150, has fewer public details available. What is known is that it affects the kernel, the foundational layer of the Android operating system. Google credited its discovery to the same security expert, Benoît Sevens, but has not yet shared further technical specifics. The lack of information may be due to the sensitive nature of its ongoing exploitation or the complexity of the flaw.
In its security advisory, Google stated that the most dangerous of the patched issues could allow a remote attacker to escalate privileges on a device without requiring any user interaction. That means someone could potentially take over a phone silently—without the victim clicking anything or granting any permissions. It’s the kind of vulnerability that threat actors, especially those backed by governments, are known to seek out and exploit.
The company also announced that it would publish the source code for the fixes within 48 hours of the advisory. While Android partners were informed of these vulnerabilities at least a month in advance, it now falls on individual device manufacturers to issue their own updates. This reflects one of Android’s long-standing challenges: the open nature of the operating system means security patches must be implemented separately by each manufacturer, leading to delays for some users.
Neither Google nor Amnesty provided additional comments at the time of writing. However, Amnesty spokesperson Hajira Maryam confirmed that the nonprofit had nothing further to share at this point.
The update highlights the ongoing cat-and-mouse game between security researchers and spyware vendors. While Google’s patch will protect users going forward, it also raises fresh concerns about the use of commercial surveillance tools against activists, journalists, and others around the globe.
