La Digital security on Android mobile devices is back in the spotlight after the identification and correction of two particularly serious zero-day vulnerabilities, which were being exploited by attackers long before developers had an effective patch. The discovery of these vulnerabilities, coupled with the slow rollout of updates to many users, highlights Android's structural cybersecurity challenges and raises questions about the effective protection of millions of devices worldwide.
What is a zero-day vulnerability and why is it so critical?
An zero-day vulnerability It is a security flaw in software or hardware that is unknown to the developerThe term "zero-day" refers to the fact that, from the moment the vulnerability is discovered and exploited, The manufacturer has zero days to react and create a solutionCybercriminals exploit these gaps because users and businesses don't yet have protective patches, leaving systems exposed to targeted attacks and data breaches.
The seriousness of these incidents lies in the fact that Zero-day exploits often go undetected for days, weeks, or even years.During this time, attackers can take advantage of this opportunity to install malware, steal sensitive information, or remotely control devices. Attacks can be massive or highly targeted, affecting everyone from the general public to high-profile figures, such as activists, businesses, or journalists.
Furthermore, these exploits are often marketed in underground markets and hacking forums, where their value increases proportionally to the threat level and access they allow. The fact that Android has the largest user base on the planet makes this operating system the perfect target for attacks with zero-day exploits.
Details of the new zero-day vulnerabilities in Android
Google detected and corrected two critical vulnerabilities that were being actively exploited on Android:
- CVE-2024-53197: Vulnerability of privilege escalation in the USB audio driver (ALSA) of the Linux kernel, which allows an attacker to execute code with elevated privileges and take control of internal components of the device.
- CVE-2024-53150: Weakness of disclosure of information through an out-of-bounds read on the same controller, allowing a local attacker to access sensitive data without user intervention.
Both flaws affect the deepest layer of the operating system, compromising the integrity and confidentiality of Android devices. These vulnerabilities were detected by Google's internal team, Threat Analysis Group (TAG) and the Amnesty International Security Lab, organizations that have demonstrated the international dimension and high risk of these incidents.
According to various investigations, Cellebrite —an Israeli company dedicated to mobile device forensics— used this exploit chain to unlock, among others, Mobile phones seized from political activists in SerbiaThe modus operandi combined multiple failures, including those previously identified as CVE-2024-53104 and CVE-2024-50302, which allowed users to bypass Android system defenses and access confidential information even on well-protected devices.
Successful exploitation of these vulnerabilities meant that any affected device could be taken under attacker control, allowing for everything from the collection of personal data to the installation of advanced spyware, all without the victim's knowledge.
How Android zero-days are discovered, exploited, and patched
The typical process of a zero-day vulnerability involves several critical phases:
- A developer or manufacturer releases an operating system, unaware that it includes a security flaw.
- An attacker or specialized group detects the vulnerability before the developer and creates an exploit to take advantage of it.
- The exploit is used in targeted or mass attacks, often covertly, to steal data or control devices.
- Eventually, the vulnerability is discovered publicly, either by third-party security analysts, affected individuals, or the manufacturer itself.
- The developer creates and distributes a security patch which blocks the breach; from that moment on, the exploit is no longer considered a "zero-day."
The real danger lies in the time window The time between the attacker's discovery of the vulnerability and the patch being installed on all affected devices. This window can last from days to years, especially in the Android ecosystem, which relies on multiple manufacturers and layers of customization.
On this occasion, Google notified device manufacturers with sufficient time to prepare their own updates, but the reality is that many users receive patches weeks—or even months—late, due to the fragmentation of the ecosystem.
The process of distributing patches on Android
Google integrates fixes into two major patch levels for Android:
- First patch level: Includes general system and framework vulnerabilities.
- Second level (critical): Incorporates key fixes for closed components, such as proprietary drivers from MediaTek, Qualcomm, the Linux kernel itself, and various hardware vendors.
The update usually arrives immediately to the Google Pixel, the company's flagship devices, but for the rest of the manufacturers (Samsung, Xiaomi, Motorola, OnePlus, among others), deployment may be considerably delayedEach brand must first adapt the patch to its own customization layer and models, a process that can take weeks depending on the brand and age of the device.
This is one of the main bottlenecks of Android, which allows a significant exposure window to active exploitation before most users are truly protected. To expand your knowledge of system security, visit Android security.
Furthermore, although Google tries to reduce fragmentation through mechanisms such as Project Mainline (which allows you to update key components from Google Play), Critical security patches still require operating system updates, which limits the speed of response to urgent threats such as zero-days.
Real implications and malicious uses detected
The impact of zero-day vulnerabilities in Android goes beyond the technical and affects fundamental rights and privacy. These exploits have been documented in contexts of State surveillance and repression against activists, journalists and critical groups internationally.
Collaboration between Google TAG, Amnesty International Security Lab and other independent bodies has allowed us to document cases in which Authorities used tools like Cellebrite's to unlock, among others, Mobile phones seized from political activists in SerbiaThe modus operandi combined multiple failures, including those previously identified as CVE-2024-53104 and CVE-2024-50302, making it easier to bypass Android system defenses and access sensitive information even on well-protected devices.
Successful exploitation of these vulnerabilities meant that any affected device could be taken over by the attacker, allowing for the collection of personal data and the installation of advanced spyware, all without the victim's knowledge. For more information on how to detect if your phone has been compromised, see How can I recover deleted data on Android?.
These practices have led to a greater international awareness, calling for more effective coordination between developers, manufacturers, governments, and NGOs to prevent the exploitation of critical vulnerabilities before they cause irreparable damage. To learn more about protecting your device, visit .
Android fragmentation and its security implications
The Android ecosystem is characterized by extreme fragmentation: Different manufacturers release their own patches at different rates., and many older devices are ending support much earlier than desired. According to recent estimates, Only a small portion of Android phones receive immediate updates., while the rest remain vulnerable for an extended period. You can learn how to better manage your device's updates at .
This problem not only affects current zero-day exploits, but also accumulates as new vulnerabilities appear month after month. Even devices that are still valid in terms of hardware are often left unprotected because manufacturers discontinue support, opening the door for them to be used as attack vectors on business, personal, or institutional networks.
The delay between vulnerability identification, patch release, and its effective delivery to all users is arguably Android's biggest security challenge. Attackers take advantage of this window to cause as much damage as possible. before most devices update. If you'd like to understand more about how system protection works, check out .
Prevention: What to do if your Android hasn't received the patch yet
If your Android device has not yet received the critical update, there are essential preventive measures To minimize the risk of being a victim of an exploit:
- Manually check for updates: Accede to Settings → System → System UpdateDepending on the manufacturer, the path may vary slightly, but there is always an option to manually check for new patches.
- Avoid installing applications from unofficial sourcesInstalling APKs from unknown sites or receiving suspicious attachments greatly increases the risk of infection, especially when there are unpatched vulnerabilities.
- Keep Google Play Protect turned on: While not foolproof, it offers an additional layer of protection against malicious apps found in the official store and beyond.
- Be wary of unsolicited links and messagesMany malware attacks leverage phishing techniques to convince you to install malicious apps.
- Don't grant unnecessary permissions: Periodically review the permissions of installed applications, especially those that access sensitive data or phone hardware (microphone, camera, storage, etc.).
- Consider switching to a device with long-term update support if your manufacturer has stopped offering security patches.
Furthermore, in business environments, it is advisable to use mobile device management (MDM) solutions that allow centralized security policies to be applied, limit the installation of external apps, and facilitate the monitoring of known and emerging threats.
Why does it take so long for security updates to arrive on Android?
Android's main security challenge lies not so much in the time it takes to detect a vulnerability, but in the complex process of getting the solution to all affected devices. As it is a open ecosystemEach manufacturer customizes the operating system, introduces its own layers, and requires adaptation and testing of patches before releasing them. To learn more about managing updates, visit .
For example, brands like Samsung or OnePlus usually stand out for their relative velocity in patch distribution, but other companies may take weeks or even months to release updates, especially for older or low-end models.
This situation means that, even if Google acts quickly, most users still have to wait to receive effective protection. Furthermore, devices outside the support period are permanently exposed to known threats, increasing risks in the medium and long term.
How to protect Android from zero-day threats? Advanced strategies and emerging trends
In addition to basic preventative measures, there are advanced strategies, both at the user and developer levels, to strengthen security against zero-day exploits on Android:
- Mainline Project: Enables modular updating of critical Android components through Google Play, streamlining the response to new threats.
- Improvements to sandboxing and permission policies: Separating application processes and strengthening access controls reduces the potential impact of an unpatched vulnerability.
- Execution-Only Memory (XOM) Expansion: Limit the ability to execute malicious code in key memory areas.
- rewards programs for identifying errors: Google rewards researchers who responsibly report zero-day vulnerabilities with significant amounts.
- Automatic security updates for critical components, independent of the manufacturer whenever possible.
The sector also observes a increased sophistication of attacks, the emergence of campaigns of malvertising (malvertising) and the growth of the black market for mobile exploits. Zero-click attacks that require no user interaction represent the latest threat, so maintaining extreme digital hygiene and staying alert for abnormal device behavior is crucial. To expand your knowledge, check out .
Collaboration between manufacturers, large technology companies, NGOs, and independent experts is essential to share information about new threats and accelerate bug fixes. To learn how to check if your device is vulnerable, check out How to use YouTube on Android Auto.
Adopting devices with guaranteed and extended security update support is increasingly advisable, especially for those who handle sensitive information or perform high-risk roles. To keep your device protected, check out solutions for managing permissions and security on Android. how to block apps on Android.
While the detection and patching of zero-day vulnerabilities by Google and its partners demonstrates significant progress in Android security, the reality is that attack response capabilities—no matter how advanced—will never be sufficient if patches aren't delivered urgently to the entire installed base. To improve the security of your device, explore .
