Google has revealed that two Android security flaws affecting its Pixel smartphones have been exploited in the wild by forensic companies.
The two high-severity zero-day vulnerabilities are:
- CVE-2024-29745 – An information disclosure flaw in the bootloader component
- CVE-2024-29748 – A privilege escalation flaw in the firmware component
“There are indications that the vulnerabilities may be under limited, targeted exploitation,” Google said in an advisory published on April 2, 2024.
Although Google did not provide further details about the attacks exploiting these vulnerabilities, GrapheneOS maintainers stated that “they are being actively exploited by forensic companies.”
“CVE-2024-29745 refers to a vulnerability in the fastboot firmware used to support unlocking/flashing/locking,” as mentioned by GrapheneOS in a series of posts on X.
“Forensic companies are rebooting devices in After First Unlock state into fastboot mode on Pixels and other devices to exploit vulnerabilities there and then dump memory.”
GrapheneOS pointed out that CVE-2024-29748 could be exploited by local attackers to disrupt a factory reset triggered via the device admin API.
This disclosure comes after the GrapheneOS team revealed that forensic companies are exploiting firmware vulnerabilities impacting Google Pixel and Samsung Galaxy phones to steal data and spy on users when the device is not in use.
They also called on Google to implement an auto-reboot feature to make exploitation of firmware flaws more challenging.
