At this point, the rest of us ought to presumably get on that as well.
As was initially reported by Forbes, the United States government has sent a severe warning to employees who have Pixel phones, ordering that they upgrade their security software by tomorrow, July 4. A high-severity firmware vulnerability exists inside the Android operating system, which could potentially expose devices to “limited, targeted exploitation.” This defect is the cause of the situation.
In order to ensure that the device is up to date, it is necessary to open the settings app in order to apply the patch that has already been developed for the zero-day exploit. When the security update is not installed by the deadline of July 4, personnel of the government are required to “discontinue use of the product.” Individuals who connect to enterprise servers, in particular, should pay attention to these warnings. It should go without saying that the rest of us should also pay attention to them.
Although Google has not disclosed any information regarding the specifics of the vulnerability, the fact that the government is involved gives the impression that it is a more serious threat than the typical exploit. Despite the fact that the federal rule is only addressed at Pixel smartphones, it appears that the attack might be used on other Android phones as well.
It has been brought to the attention of the developers of GrapheneOS, an operating system that is based on Android, that the vulnerability is not unique to Pixel phones. In spite of the fact that it has not been backported, the group has stated that a patch would be included in any update to Android 15, which is scheduled to be released in August. You will most likely not receive the patch if you choose not to update the operating system. It is not obvious whether there are any other potential solutions for mitigating the impact. We have contacted Google, and we will update this post as soon as we have any further information.
CVE-2024-32896 which is marked as being actively exploited in the wild in the June 2024 Pixel Update Bulletin is the 2nd part of the fix for CVE-2024-29748 vulnerability we described here:https://t.co/c4xnnbje04
— GrapheneOS (@GrapheneOS) June 13, 2024
As we explained there, none of this is actually Pixel specific.
The warning that was given by the United States government, which is described in the catalog of Known Exploited Vulnerabilities (KEV), is deficient in the amount of information that it provides. According to the advisory, “Android Pixel contains an unspecified vulnerability in the firmware that allows for privilege escalation.” This is the only information that is provided. It has been reported by GrapheneOS that the exploit does not successfully wipe the memory when it is operating in a firmware-based fastboot mode. This could potentially allow malicious actors to hack the device in order to obtain previous operating system memory.
To summarize, you should immediately upgrade your Pixel Phone by using the settings app. Those who have other Android phones in their possession should wait for the time being. Doing anything that involves zero-day exploits is never a good idea, and the fact that the United States government is involved in this situation has certainly made the threat level a little bit higher.