The US government has issued a dire warning to workers with Pixel phones requiring a security update by July 4. as originally reported Forbes. This is due to a highly serious software vulnerability in the Android operating system that could open devices to “restricted, targeted exploitation”.
there is patch already for zero-day operation, but a visit to the settings app is required to ensure the device is up-to-date. Government employees who do not install the security update by July 4 must “stop using the product.” Of course, the rest of us should heed these warnings, especially those connecting to enterprise servers.
Google has remained mum on the actual details of the vulnerability, but the government involvement appears to be a bit more serious than your average exploit. The federal mandate only targets Pixel devices, but it appears that the exploit could also apply to other Android phones.
The folks behind GrapheneOS, the Android-based operating system, note that the vulnerability is not specific to Pixel phones. The organization said that a fix would be part of any update to Android 15 released in August, but it was not reflected. So if you choose not to update your OS, you probably won’t get the patch. It remains unclear whether there are other options for mitigation. We’ve reached out to Google and will update this post when we know more.
CVE-2024-32896, which was noted to be actively exploited in the wild in the June 2024 Pixel Update Bulletin, is part 2 of the fix for the CVE-2024-29748 vulnerability that we describe here:https://t.co/c4xnnbje04
As we explained there, none of this is actually Pixel-specific.
— GrapheneOS (@GrapheneOS) June 13, 2024
Warning As disclosed by the US government Directory of Known Exploitable Vulnerabilities (KEV)., is also stingy with details. The advisory simply states that “Android Pixel software contains an unspecified vulnerability that could allow elevation of privilege.” GrapheneOS says the exploit cannot erase memory while running a firmware-based fastboot mode, potentially allowing malicious actors to exploit the system “to obtain previous OS memory.”
To summarize, update your Pixel Phone immediately via the settings app, while those with other Android phones should sit tight for now. It’s never smart to be confused these zero day exploits and the intervention of the US government has certainly increased the threat level here.