Google has launched patches for 43 vulnerabilities in Android’s March 2025 safety replace, together with two zero-days exploited in focused assaults.
Serbian authorities have used one of many zero-days, a high-severity info disclosure safety vulnerability (CVE-2024-50302) within the Linux kernel’s driver for Human Interface Gadgets, to unlock confiscated units.
The flaw was reportedly exploited as a part of an Android zero-day exploit chain developed by Israeli digital forensics firm Cellebrite to unlock confiscated units.
The exploit chain—which additionally features a USB Video Class zero-day (CVE-2024-53104) patched final month and an ALSA USB-sound driver zero-day)—was discovered by Amnesty Worldwide’s Safety Lab in mid-2024 whereas analyzing the logs discovered on a tool unlocked by Serbian authorities.
Google informed BleepingComputer final week that they shared fixes for these flaws with OEM companions in January.
“We had been conscious of those vulnerabilities and exploitation danger prior to those reviews and promptly developed fixes for Android. Fixes had been shared with OEM companions in a associate advisory on January 18,” a Google spokesperson informed BleepingComputer.
The second zero-day fastened this month (CVE-2024-43093) is an Android Framework privilege escalation vulnerability that permits native attackers to entry delicate directories as a consequence of incorrect unicode normalization by exploiting a file path filter bypass with out further execution privileges or consumer interplay.
This month’s Android safety updates additionally tackle 11 vulnerabilities that may let attackers achieve distant code execution on weak units.
Google has issued two units of safety patches, the 2025-03-01 and 2025-03-01 safety patch ranges. The latter comes with all fixes from the primary batch and patches for closed-source third-party and kernel subcomponents, which can not apply to all Android units.
Google Pixel units obtain the updates instantly, whereas different distributors will typically take longer to check and fine-tune the safety patches for his or her {hardware} configurations.
Producers may also prioritize the sooner patch set for faster updates, which doesn’t essentially point out elevated exploitation danger.
In November, the corporate patched one other Android zero-day (CVE-2024-43047), which was first tagged as exploited by Google Venture Zero in October 2024 and utilized by the Serbian authorities in NoviSpy spyware and adware assaults concentrating on the Android units of activists, journalists, and protestors.
