Hackers Are Exploiting A Firmware Security Flaw In Pixel Phones, Patch ASAP

Closeup of the Pixel Fold with an Android doll on the display.
Google is pushing out is June 2024 security update for supported Pixel devices like the Pixel 8 Pro and Pixel 8, with fixes for over 50 security vulnerabilities, over half of which carry a Critical or High severity rating. One of the most alarming of the bunch, however, is a zero day flaw in firmware. While it carriers a High severity rating rather than Critical, what's concerning is that Google has found evidence to suggest that it's being actively exploited in the wild.

Tracked as CVE-2024-32896, it's an elevation of privilege (EoP) flaw with no other concrete details provided at this time. That's not unusual—Google typically waits until a majority of affected owners have been able to download and apply zero day security fixes like this one before it divulges the full details, in an effort to mitigate the potential damage from hackers.

"There are indications that CVE-2024-32896 may be under limited, targeted exploitation," Google states in a support document.

Hand holding a Pixel 8 Pro in front of a blue background.

Generally speaking, EoP flaws enable attackers to gain rights and permissions that would normally be blocked off to outsiders. There are various ways this can manifest depending on the bug in question, but the end result is that it opens the door for a malicious actor to install malware, steal sensitive data, tweak settings so that affected users are more vulnerable to future attacks, and so forth.

The June 2024 security update also provides fixes for a whole bunch of other EoP flaws, including more than half a dozen Critical ones, as well as several remote code execution (RCE) bugs and denial of service (DoS) vectors, among other security holes.

These fixes address a wide range of components, too, including the fingerprint sensor, modem, WLAN, audio and more. Some of these are specific to Qualcomm's hardware.

Google dishes out security updates to Pixel devices separately from the ones it provides to its Android OEM partners. That's partly because Pixel phones are first-party devices that often gain access to features before rolling out to other Android devices.

Pixel devices receive security updates for at least three years from launch. Supported devices including the Pixel 8 Pro, Pixel 8, Pixel 8a, Pixel 7 Pro, Pixel 7, Pixel 7a, Pixel 6 Pro, Pixel 6, Pixel Fold, Pixel 5, Pixel 5a (5G), Pixel 4a (5G), Pixel 4a, Pixel. 4 XL, and Pixel 4. Pixel 3a XL and earlier handsets no longer receive Android version updates and security patches.

You can manually initiate an update by heading to Settings > Security & privacy, System & updates > Security update. A restart will be required after installing.