There’s a sting in the tail with this month’s Android security update, the details of which were released this week. Google has confirmed that two vulnerabilities fixed in the release “may be under limited, targeted exploitation.” Nothing especially untoward there, except that one of those threats, CVE-2024-43047—which affects certain Qualcomm chipsets, prompted a US government warning with a mandate to update or stop using impacted Android phones by October 29. Clearly impossible to do.
On October 8, the US government’s cybersecurity agency warned users that “multiple Qualcomm chipsets contain a use-after-free vulnerability due to memory corruption in DSP Services while maintaining memory maps of HLOS memory,” mandating all federal employees to “apply remediations or mitigations per vendor instructions,” by October 29, “or discontinue use of the product if remediation or mitigations are unavailable.”
As for those remediations, Qualcomm says it says it made fixes available to device OEMs in September and has urged them to deploy those patches “on released devices as soon as possible.” While those patches are now part of Android’s November release and will hit Pixels as soon as they update, the story for other OEMs will vary. Samsung, for example, hasn’t confirmed this update as yet, and it was missing from their own November security update issued the same day as Android’s.
While CISA’s official mandate per its Known Exploited Vulnerability (KEV) catalog only applies to federal staff, the agency operates “for the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity… Organizations should use the KEV catalog as an input to their vulnerability management prioritization framework.” As such, employees of other public and private entities should also apply other update as soon as it’s available. The initial exploitation warning came Google’s Threat Analysis Group, which suggests both that it’s serious and that it’s likely spyware, a threat to enterprises.
Smartphone users can see the affected chipsets listed above, and most users will be able to check your smartphone model against those affected chipsets here. All Android OEMs should push the out the update now it’s available, albeit users will still be beholden to models, regions, carriers and lock states to determine when it will make its way onto their device. For all federal staff with affected phones, you’re over the deadline and you should make sure you’ve been seen to update as soon as you can. For others, the same advice really applies. Don’t leave devices unprotected any longer than you have to, and until they are updated, by wary of what you click, install and open.
There was another zero-day vulnerability patched in Android’s November relies as well—CVE-2024-43093. This was one of Google’s own and affects the Google Play framework, which has been in the news for other reasons this week, causing chaos on certain Pixel phones and stopping apps from running. This patch did make it into Samsung’s November SMR and you can check your own OEM’s update details using the usual websites or on-device listings.
With two serious, exploited vulnerabilities and that delayed CISA update deadline, this month’s release takes on a more serious note than usual. Update your phone as soon as you can.