Google has warned {that a} safety flaw impacting its Android working system has come beneath energetic exploitation within the wild.
The vulnerability, tracked as CVE-2024-43093, has been described as a privilege escalation flaw within the Android Framework element that would end in unauthorized entry to “Android/information,” “Android/obb,” and “Android/sandbox” directories and its sub-directories, based on a code commit message.
There are at the moment no particulars about how the vulnerability is being weaponized in real-world assaults, however Google acknowledged in its month-to-month bulletin that there are indications it “could also be beneath restricted, focused exploitation.”
The tech large has additionally flagged CVE-2024-43047, a now-patched safety bug in Qualcomm chipsets, as having been actively exploited. A use-after-free vulnerability within the Digital Sign Processor (DSP) Service, profitable exploitation may result in reminiscence corruption.
Final month, the chipmaker credited Google Undertaking Zero researchers Seth Jenkins and Conghui Wang for reporting the flaw, and Amnesty Worldwide Safety Lab for confirming the in-the-wild exercise.
The advisory gives no particulars on the exploit exercise concentrating on the flaw or when it might need began, though it is attainable that it might have been leveraged as a part of extremely focused adware assaults geared toward civil society members.
It is also at the moment not recognized if each the safety vulnerabilities have been customary collectively as an exploit chain to raise privileges and obtain code execution.
CVE-2024-43093 is the second actively exploited Android Framework flaw after CVE-2024-32896, which was patched by Google again in June and September 2024. Whereas it was initially resolved just for Pixel gadgets, the corporate later confirmed that the flaw impacts the broader Android ecosystem.
