The CISA renewal period expires on July 4
AFP via Getty ImagesGoogle’s Pixel update suffered an unpleasant blip on its tail this month. CVE-2024-32896 was among dozens of important and performance updates and Android’s quarterly feature reduction. This highly serious software vulnerability, Google warned“may be subject to limited, targeted exploitation.”
Google has provided few details about this zero-day — more on that below — but the US government has stepped in, ordering federal employees to update their Pixel devices before July 4 “or stop using the product.” This gives you only ten days to act. The notice is aimed at government agencies, but other businesses will have to do the same and tell employees to fully comply. Personal users should also be careful, especially if they connect their devices to any enterprise systems.
A US government alert comes with its Known Exploitable Vulnerabilities (KEV) directory, managed by CISA – Cyber Security and Infrastructure Security Agency. “The Android Pixel software contains an unspecified vulnerability that could allow elevation of privilege,” its advisory simply states.
While Google did not provide further details on the zero-day vulnerability, GrapheneOS said it was the second part of a patchwork of vulnerabilities it reported in April that were “actively exploited in the wild by forensic companies.”
Unfortunately, the firm says it’s not just a Pixel issue. “This was fixed on Pixels with the June update (Android 14 QPR3) and will be fixed on other Android devices when they update to Android 15. If they don’t update to Android 15, they probably won’t be able to get the fix because it hasn’t been found yet.”
Given that the exploited vulnerability is listed in CISA’s KEV directory, it’s unclear what owners of other Android devices that are potentially at risk without immediate mitigation should do. Looking forward to more on this.
GrapheneOS describes these two vulnerabilities as follows: “Memory is not deleted when loading firmware-based fastboot mode, allowing it to be used to retrieve previous OS memory; [and] AOSP device admin API depends on reboot for recovery to remove before Android 14 QPR3” and warns “No issues fixed outside of Pixels yet”.
Google’s June update came the same week and days after a report on the dangers of Play Store freeware Zscaler “Identified and analyzed over 90 malware uploaded to the Play Store… with over 5.5 million installs,” it warned.
And this week, the cyber team at Check Point warned of Rafel, an Android trojan found in at least 120 malicious campaigns. While it mainly targets older, unsupported devices, “users of current Android versions should be concerned, this threat can infect a wide range of Android versions, from the oldest unsupported versions to the latest versions.”
All this is an exciting background for Android users. CISA’s mandate should be taken seriously by all Pixel owners and they should update before the 4th of July, if not yet. The download should be automatic and a reboot will ensure it is fully installed. You can find instructions on how to check for an update on your Pixel device here.