Google has issued a security advisory to users of its Android Pixel smartphones, warning that it has discovered that some devices have been targeted to bypass their built-in security.
What’s particularly interesting about the reported attack is that traditional cybercriminals may not be behind it, but rather a “forensics firm” exploiting two vulnerabilities to extract information and prevent remote erasure.
This is the view of GrapheneOS researchers, who sent a tweet Regarding their discovery of the CVE-2024-29745 and CVE-2024-29748 vulnerabilities.
The GrapheneOS team understands security and privacy very well. GrapheneOS is an alternative Android-based operating system for Google Pixel devices that prioritizes privacy and security.
It is believed that forensic firms may exploit these zero-day vulnerabilities in the Pixel’s standard operating system to bypass security measures on confiscated phones. This may be at the request of law enforcement agencies to access data that cannot be accessed through traditional means.
Anyone trying to extract information from a confiscated locked smartphone would obviously want to prevent it from being remotely wiped by its owner.
computer magazine A Swedish forensics firm has reportedly released a since-deleted video demonstrating how to bypass an Android app called “Wasted,” which is used for remote device wiping.
GrapheneOS maintainers copied the video and used it to convince Google to take the vulnerabilities seriously. They said it was “evidence of exploitation in the wild”.
GrapheneOS researchers claim that Google’s firmware fix for Pixel smartphones is currently only a “partial solution” to the flaw. This flaw prevents remote owners from wiping their devices without sharing much information, presumably to avoid further exploits and attacks.
Google plans to roll out a patch for the vulnerability to affected Pixel devices in the coming days.
Editor’s note: The opinions expressed in this guest author article are those of the contributor and do not necessarily reflect the views of Tripwire.
