The CISA update deadline is July 4
Google’s Pixel update had a nasty sting in its tail this month. CVE-2024-32896 was buried among dozens of major updates and runtime upgrades and Android’s quarterly feature drop. This high severity firmware vulnerability, Google warned“may be under limited, targeted exploitation.”
Google provided few details about this zero-day — more on that below — but the US government stepped in and ordered federal employees to update their Pixel devices before July 4 “or discontinue use of the product.” This gives you just ten days to act. The warning is aimed at government agencies, but other businesses should do the same and enforce full employee compliance. Personal users should also be careful, especially if they connect their devices to any corporate system.
The US government’s warning comes via its Known Exploited Vulnerabilities (KEB) list, which is managed by CISA—the Cybersecurity and Infrastructure Security Agency. “Android Pixel contains an unspecified vulnerability in firmware that allows escalation of privilege,” its advisory simply says.
While Google has not provided more details about the zero-day vulnerability, GrapheneOS said this is the second part of a patch for vulnerabilities it reported in April, which are “actively used in the wild by criminal enterprises.”
Worryingly, the company also says this isn’t just a Pixel issue. “Fixed on Pixels with the June update (Android 14 QPR3) and will be fixed on other Android devices when they eventually update to Android 15. If they don’t update to Android 15, they likely won’t get the fix as it’s not supported.”
Since the exploited vulnerability has entered CISA’s KEV list, it’s unclear what owners of other Android devices — which potentially have the risk without immediate mitigation — should do. We await anything further on this.
GrapheneOS describes the two vulnerabilities as “memory is not cleared when firmware-based fastboot is started, allowing it to be exploited to download previous operating system memory. [and] The AOSP Device Manager API depends on reboot to recovery for wipe prior to Android 14 QPR3, warning that “neither issue has been fixed outside of Pixels yet.”
Google’s June update came the same week as a report on the dangers of Play Store freeware and days after Zscaler warned that it had “detected and analyzed more than 90 malicious apps uploaded to the Play store… with more than 5.5 million installs.”
And then this week, the cyber team at Check Point warned of an Android trojan—Rafel—that had been spotted in at least 120 malicious campaigns. And while this mainly targeted older, unsupported devices, “users of current Android versions should be concerned, this threat can infect a wide range of Android versions, from the oldest unsupported versions to the latest.”
All in all, a worrying scenario for Android users. The CISA order should be taken seriously by all Pixel owners and should update before the 4th of July holiday, if not already. The download should be automatic and a reboot will ensure it installs completely. You can find instructions on how to check that your Pixel device has been updated here.
