Google has patched two critical Android zero-day vulnerabilities already exploited by hackers

Google has rolled out an emergency security update for Android, fixing two actively exploited zero-day vulnerabilities — CVE-2024-53197 and CVE-2024-53150.

According to the company, one of the flaws had already been used in real-world attacks — without the user’s knowledge or interaction. Hackers could gain elevated privileges on the device simply by exploiting the vulnerability.

The first vulnerability, CVE-2024-53197, was discovered by researchers from Amnesty International and Google’s Benoit Sevens. It was reportedly used in attacks involving Cellebrite — an Israeli firm known for developing digital forensics tools for law enforcement. One known case involved a targeted attack on a Serbian activist, as reported by TechCrunch.

The second vulnerability, CVE-2024-53150, was also discovered by Sevens, though technical details have not yet been disclosed. It affects the Android kernel and poses a similarly severe threat.

Google says the source code for the patches will be released within 48 hours of the security bulletin. Android OEMs were notified of the vulnerabilities at least a month prior to the public release.

Users are strongly encouraged to install the update as soon as it becomes available for their devices.