Google has published a security bulletin warning of two critical and actively exploited Android vulnerabilities, CVE-2024-43093 and CVE-2024-50302, being used in attacks targeting devices running Android 12 through 15. CVE-2024-50302 appears to be the zero-day exposed by Amnesty International in a 2/28 report about an attack against a Serbian political activist.
Javvad Malik, lead security awareness advocate at KnowBe4, commented:
“Google’s disclosure of CVE-2024-43093 and CVE-2024-50302 serves as a stark reminder of the perils lurking in our pockets. These vulnerabilities, affecting over a billion Android devices, highlight the importance of deploying patches in a timely manner.
The involvement of Serbian authorities and Cellebrite’s UFED tools in exploiting these vulnerabilities adds a layer of complexity in that it blurs the lines between state-sponsored surveillance and cybercrime.
The real challenge lies in the fragmented nature of the Android ecosystem. With dozens of manufacturers and carriers, patching becomes a logistical nightmare, leaving countless devices vulnerable long after fixes are available. Unfortunately, many cheaper Android devices running older versions of the operating system can’t be updated at all.
This incident underscores the urgent need for a more cohesive approach to security updates in the Android world. Google, OEMs, and carriers must pull together to ensure patches reach users swiftly, regardless of device or location.”
This is something that I have been saying for years. Android needs a more cohesive approach as the way thing are right now isn’t workable from a security standpoint. In short, they need to be more like Apple where if a security issue exists, a fix is pushed out and mitigated on the majority of devices in short order. Hopefully Google decides to eventually move in that direction.
Like this:
Like Loading...
Related
This entry was posted on March 4, 2025 at 1:53 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Google Warns of Two Critical Android Vulnerabilities
Google has published a security bulletin warning of two critical and actively exploited Android vulnerabilities, CVE-2024-43093 and CVE-2024-50302, being used in attacks targeting devices running Android 12 through 15. CVE-2024-50302 appears to be the zero-day exposed by Amnesty International in a 2/28 report about an attack against a Serbian political activist.
Javvad Malik, lead security awareness advocate at KnowBe4, commented:
“Google’s disclosure of CVE-2024-43093 and CVE-2024-50302 serves as a stark reminder of the perils lurking in our pockets. These vulnerabilities, affecting over a billion Android devices, highlight the importance of deploying patches in a timely manner.
The involvement of Serbian authorities and Cellebrite’s UFED tools in exploiting these vulnerabilities adds a layer of complexity in that it blurs the lines between state-sponsored surveillance and cybercrime.
The real challenge lies in the fragmented nature of the Android ecosystem. With dozens of manufacturers and carriers, patching becomes a logistical nightmare, leaving countless devices vulnerable long after fixes are available. Unfortunately, many cheaper Android devices running older versions of the operating system can’t be updated at all.
This incident underscores the urgent need for a more cohesive approach to security updates in the Android world. Google, OEMs, and carriers must pull together to ensure patches reach users swiftly, regardless of device or location.”
This is something that I have been saying for years. Android needs a more cohesive approach as the way thing are right now isn’t workable from a security standpoint. In short, they need to be more like Apple where if a security issue exists, a fix is pushed out and mitigated on the majority of devices in short order. Hopefully Google decides to eventually move in that direction.
Share this:
Like this:
Related
This entry was posted on March 4, 2025 at 1:53 pm and is filed under Commentary with tags Google. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.