Google has released fixes for two security bugs in Android devices that were found to have been actively exploited, which means that hackers used these vulnerabilities to gain access to Android systems. The security flaws “may be under limited, targeted exploitation,” Google said in a security bulletin published on the Android blog on Monday, April 7.
Since the hackers may have exploited the Android security bugs before developers knew about it and released patches for it, the security attack could be termed as a zero-day attack. Google also suggested that one of the two security flaws was a zero-click vulnerability, meaning that user interaction was not required to compromise the security of targeted Android devices.
“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed,” the security bulletin read.
Google further said that source code patches for these issues will be released to the Android Open Source Project (AOSP) repository in the next 48 hours. Android partners are generally notified of all such issues at least a month before a security bulletin is released, it added.
The second zero-day security flaw termed as ‘CVE-2024-53197’ was also flagged by Google’s security team that primarily monitors State-backed cyberattacks. This vulnerability was reportedly found in the kernel or core of the Android operating system.