Google has issued patches for 62 vulnerabilities on Android. Two of these vulnerabilities, dubbed CVE-2024-53150 and CVE-2024-53197, have already been actively exploited in the wild, with Google admitting that they may have come under “limited targeted exploitation.”
Both vulnerabilities have been rated 7.8 out of 10 on the CVSS severity scale. CVE-2024-53150 is an out-of-bounds bug in the Kernel USB sub-component that can reveal sensitive data. CVE-2024-53197 is also present in the Kernel USB sub-component and can let an attacker escalate privileges if exploited. Google’s advisory notes that user interaction isn’t needed for exploitation, making these vulnerabilities especially dangerous.
The most severe of these issues is a critical security vulnerability in the System component that could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.
Zero interaction vulnerabilities are often used by spyware developers to get their malware on a victim’s phone without tipping anyone off. Since these vulnerabilities also don’t show typical signs of compromise or require the target to interact with anything shady, they’re also harder to investigate or track down during forensic investigations.
CVE-2024-53197 along with CVE-2024-53104 and CVE-2024-50302 were all patched already in 2024. According to a report from Amnesty International, the three bugs have been chained together to install spyware on the phones of a local journalist and activist in December 2024, leading to Cellebrite banning Serbia from using its products.
CVE-2024-53104 was patched in February 2025, with CVE-2024-50302 getting plugged in March. With the latest update fixing CVE-2024-53197, Google has effectively blocked the exploit path.
Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018.
You can contact him here: yadullahabidi@pm.me.
