Update your Android: Google patches two zero-day vulnerabilities

Google has announced patches for several high severity vulnerabilities. In total, 51 vulnerabilities have been patched in November’s updates, two of which are under limited, active exploitation by cybercriminals.

If your Android phone shows patch level 2024-11-05 or later then the issues discussed below have been fixed. The updates have been made available for Android 12, 12L, 13, 14, and 15. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under About phone or About device you can tap on Software updates to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

Keeping your device as up to date as possible protects you from known vulnerabilities that have been fixed, and helps you to stay safe.

Technical details

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs that look the most important are:

CVE-2024-43047: a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges. Use after free (UAF) is a vulnerability due to incorrect use of dynamic memory during a program’s operation. If after freeing a memory location a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Qualcomm disclosed the vulnerability in October as a problem in its Digital Signal Processor (DSP) service. The vulnerability is flagged as under limited, targeted exploitation and could allow an attacker to escalate privileges on targeted devices.

CVE-2024-43093: a high-severity escalation of privilege vulnerability impacting the Android Framework and the Google Play system updates. This is the second vulnerability that is flagged as under limited, targeted exploitation.

CVE-2024-43091: a high severity Remote Code Execution (RCE). By exploiting this vulnerability in the System component an attacker could remotely execute code on a device with no additional execution privileges needed.

CVE-2024-38408: is the only vulnerability listed as critical in this update. The problem is described as a “cryptographic issue when a controller receives an LMP start encryption command under unexpected conditions.” LMP stands for Link Manager Protocol, which is a communication system used in Bluetooth technology to set up and manage connections between devices. The “start encryption command” is a special instruction that tells Bluetooth devices to begin scrambling their communications. The issue was patched by Qualcomm, which published a long list of affected chipsets.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.