Google Issues Critical Update For Millions Of Pixel Users—Warns Attacks Now Underway

by · Forbes
Update now warning issued for Pixel usersGetty Images

Google has confirmed details of November’s Android security updates, which includes two zero-days with vulnerabilities now “under limited, targeted exploitation.” As such, this is an “update now warning” for the millions of Pixel users with current support in place, and for other Android OEMs as they receive their own.

The first of the actively exploited vulnerabilities, CVE-2024-43047, is the Qualcomm risk that the chipset manufacturer warned about last month. They said then that OEMs had received the fix some weeks before and urged updated as soon as possible. Qualcomm acknowledged “indications from Google Threat Analysis Group that CVE-2024-43047 may be under limited, targeted exploitation.” That is now part of the November release. Interestingly, while Pixel gets the update now, Samsung does not—a likely delay I wanted about previously.

The second zero-day, CVE-2024-43093, is one of Google’s own, and addresses a vulnerability in the core Google Play system framework that underpins much of the app infrastructure on devices. This is described “as a privilege escalation flaw in the Android Framework component that could result in unauthorized access to ‘Android/data,’ ‘Android/obb, and ‘Android/sandbox’ directories and its sub-directories, according to a code commit message.”

Known Exploited Vulnerability (KEV) catalogCISA

MORE FOR YOU
Election 2024 Swing State Polls: Trump-Harris Race Deadlocked On Election Eve—As Pennsylvania Still Tied (Updated)
Harris And Trump’s Biggest Celebrity Endorsements: Joe Rogan Endorses Trump, Lady Gaga Backs Harris
Tens Of Millions Of Americans Voted Early— Here's What The Data Is Telling Us Ahead Of Election Day

As ever, no further details on the vulnerabilities have been released at this stage, ahead of users having the opportunity to update their devices.

The Qualcomm issue has already prompted the US cybersecurity agency to mandate all federal employees (and advise all others) to update their phones. The deadline wasn’t achievable though, given the delay in pushing out the fix. I would expect the other vulnerability to make CISA’s catalog later this week if not today.

The bad news for Pixel users applying this update could be unrelated issues with the installation of Android 15 clashing with a Google Play update. Over the last 36-hours, multiple users have reported issued in loading apps given a Play Services issue. This seems to have impacted Gmail amongst other apps, stopping it loading.

Putting that aside, all Pixel users are urged to install the new update as soon as it’s available on their phones. Pixel sales are surging, and despite any Android 15 teething issues, the speed with which that upgrade was available compared to Samsung, and the advantage Google has in running both hardware and software is now clear.