Google has delivered fixes for two vulnerabilities endangering Android users that “may be under limited, targeted exploitation”: CVE-2024-43047, a flaw affecting Qualcomm chipsets, and CVE-2024-43093, a vulnerability in the Google Play framework.
The exploited vulnerabilities (CVE-2024-43047, CVE-2024-43093)
Qualcomm patched CVE-2024-43047 – a use-after-free vulnerability in the Digital Signal Processor (DSP) service that could be exploited to escalate privileges on targeted devices – in October 2024, and urged original equipment manufacturers (OEMs) to deploy the patches as soon as possible.
Reported by Seth Jenkins of Google Project Zero and Conghui Wang of Amnesty International Security Lab, it’s highly likely that the flaw is being leveraged by commercial mobile spyware makers.
Also, “limited, targeted exploitation” is phrasing that usually points toward cyber espionage campaigns rather than broad malware attacks and often implicates the use of specialized spyware targeting activists, journalists, or dissidents.
CVE-2024-43093 is another vulnerability that allows privilege escalation and has been fixed by restricting access to “Android/data,” “Android/obb,” and “Android/sandbox” directories and their sub-directories.
Propagating fixes in the Android ecosystem
As per usual, the Android Security Bulletin for November 2024 contains fixes for many other flaws found in the Android platform.
Android partners are notified of all issues at least a month before publication of each monthly Android security bulletin, and source code patches for them are released to the Android Open Source Project (AOSP) repository.
Samsung has, for example, patched CVE-2024-43047 in the October 2024 maintenance release for major flagship models, and CVE-2024-43093 in the one made available in November 2024.
Other manufacturers of Android-powered phones – such as Huawei, Motorolar, Oppo, and others – are expected to follow suit.