Google has patched two zero-day flaws that are being actively exploited to steal data from locked Pixel phones.
As reported by BleepingComputer, the first zero-day is a disclosure flaw in the Pixel’s bootloader (tracked as CVE-2024-29745) while the second is an elevation of privilege bug in the pixel firmware (tracked as CVE-2024-29748).
Both of these zero-days are rated as high-severity flaws and were discovered by security researchers at GrapheneOS which is a privacy and security-focused Android distribution. What makes these patches particularly interesting is the fact that it wasn’t hackers who were exploiting them. Instead, it was forensic firms who used them to gain unauthorized access to data stored on Google’s Pixel devices.
If you haven’t yet, now is the time to download and install this month’s Google Pixel Update to keep the best Android phones safe from snooping eyes. (It's the same update that includes some Pixel 8 camera fixes.)
Exploiting zero-days for forensics
In its latest Pixel Update Bulletin, Google explains that “there are indications” that these zero-days “may be under limited, targeted exploitation.” Even though these flaws aren’t being exploited on a wider scale, this is still cause for concern for Pixel owners.
According to a thread on X, GrapheneOS’ security researchers discovered and then reported these flaws to the search giant a few months ago. As with other high-severity zero-days, information on them wasn’t shared publicly until a patch was ready.
During its investigation into the matter, GrapheneOS discovered that forensic companies were rebooting Pixel devices in a ‘After First Unlock” state into fastboot mode in order to exploit these flaws. This makes these attacks more difficult and time consuming to pull off but doing so could be worth it for high-profile targets that prefer Pixel phones over the best iPhones. However, this would need to be done in person instead of remotely.
Fortunately, Google’s latest patches fix these issues by zeroing the memory when booting in fastboot mode and only enabling USB connectivity after the zeroing process is complete.
How to keep your Pixel phone safe
Just like with the rest of your devices, keeping your Pixel phone updated is the best way to protect it from hackers or in this case, snooping forensic firms.
To install this latest update, Pixel users need to go to their phone’s settings menu and from there, tap on Security & Privacy then System & updates followed by Security update. Here you’ll need to tap install to apply the latest patches from Google.
When it comes to malicious apps and malware though, you want to ensure that Google Play Protect is enabled on your Pixel as this built-in app scans all of your existing apps and any new ones you download to ensure they don’t contain any malicious code. For added protection, you should also consider using one of the best Android antivirus apps alongside it though.
Zero-day flaws might sound scary at first but they’re actually just vulnerabilities that were discovered by someone other than a device or software’s manufacturer which in this case is Google. The search giant has taken action quickly though with these two flaws and if you haven’t already, you should install the latest update right now.