Android users have just been given another urgent reason to update their phones, with the US government's cybersecurity agency warning that a vulnerability newly disclosed by Google is under attack. The deadline for that update to be installed by November 28, giving users less than three weeks to get this done.
"Android Framework contains an unspecified vulnerability that allows for privilege escalation," CISA warns, mandating all federal employees to "apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable." This is just the latest in a line of Android zero-days this year, and while the update or stop using your phone warning is extreme, the fact phones are under attack amplifies the already serious risk posed to enterprise systems by employee cellphones.
As ever, while the formal mandate applies only to federal employees, CISA warnings apply much more broadly, given its remit "to help every organization better manage vulnerabilities and keep pace with threat activity." CISA's Known Exploited Vulnerability (KEV) catalog is maintained for organizations to use "as an input to their vulnerability management prioritization framework."
It has only been 3 days since Google disclosed CVE-2024-43093, warning that "there are indications [it] may be under limited, targeted exploitation." The good news for Pixel and Samsung users, is that this is now rolling out as part of their regular monthly security updates. Other OEMs will be doing the same -- check your phone.
You need to do ensure the update installs when downloaded to your device. Those on less than monthly updates, have an issue until their next update. It's critical that you bear this in mind as you use your phone. Those not on any current support contract should clearly consider the benefits of an upgrade.
This was not the only zero-day patched in Android's November update. CVE-2024-43047 is also under active attack. This vulnerability which affects a number of Qualcomm chipsets has also been fixed, albeit not for all OEMs. At the time of writing, this still isn't included in Samsung's formal release, with the Galaxy-maker warning "some patches to be received from chipset vendors may not be included in the security update package of the month. They will be included in upcoming security update packages as soon as the patches are ready to deliver."
I asked Samsung when this would be fixed, and the company told me it "takes security issues very seriously. We are aware of the report regarding potential vulnerabilities in some of Qualcomm's chipsets and have been working with Qualcomm to address this issue. We have started rolling out security updates since October, but updates may continue being released at a later date, which will vary by network provider or model. We always recommend that users keep their devices up-to-date with the latest software updates."
This Qualcomm vulnerability triggered its own CISA warning with an update mandate for last month that all users will have missed. It's critical that they update as soon as possible though, to fix what could be an even nastier threat than the latest Android framework flaw. Again, users should be wary of using unpatched cellphones with enterprise systems, and should be doubly careful as to what they click, install and open until such a time as they are updated. That said, the reality is that any user connecting phones to enterprise systems should always be cautious.
In its recent 2024 mobile threat report, Zimperium warned that 83% of phishing sites were crafted specifically to target mobile devices and that a fill 70% of businesses "fail to adequately secure personal devices used for work purposes," with an alarming "90% of successful cyberattacks originate from endpoint devices [and] 71% of employees admitting to engaging in actions they knew were risky."
As such, all enterprises are well advised to follow CISA's mandate when a vulnerability is known to have been exploited, and ensure employees update this month. Home users should follow their same advice for all the same reasons.