Google has revealed that two Android security flaws affecting its Pixel smartphones have been widely exploited by forensic firms.
High-severity zero-day vulnerabilities are as follows:
- CVE-2024-29745 – There is an information leakage flaw in the bootloader component
- CVE-2024-29748 – Privilege escalation flaw in firmware components
“There are signs that [vulnerabilities] May be subject to limited, targeted exploitation,” Google said in an announcement on April 2, 2024.
While the tech giant did not reveal any other information about the nature of the attacks exploiting the flaws, GrapheneOS maintainers said the flaws “are being actively exploited by forensics companies.”
“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/refreshing/locking,” they explain In a series of posts on X (formerly Twitter).
“Forensics firms are exploiting vulnerabilities on Pixel and other devices by rebooting them into fastboot mode in a post-first-unlock state and then dumping memory.”
GrapheneOS noted that local attackers may weaponize CVE-2024-29748 to interrupt a factory reset triggered through the device management API.
The disclosure comes more than two months after the GrapheneOS team disclose Forensics firms are exploiting a firmware vulnerability affecting Google Pixel and Samsung Galaxy phones to steal data and spy on users when the devices are not stationary.
It also urged Google to introduce an automatic restart feature to make exploiting firmware flaws more difficult.
