The June 2024 Pixel update bulletin released patches for several security vulnerabilities, including elevation of privilege (EoP), remote code execution, information disclosure, and denial of service, which impact Pixel devices and Qualcomm components.
One of these flaws is an EoP issue in Pixel firmware that is already exploited in targeted attacks as a zero-day. The Common Vulnerabilities and Exposures (CVE) code for this vulnerability is CVE-2024-32896.
“There are indications that CVE-2024-32896 may be under limited, targeted exploitation,” the Google announcement said. Security patch levels of 2024-06-05 or later address this issue for supported Pixel devices such as Pixel 5a with 5G, Pixel 6a, Pixel 6, Pixel 6 Pro, Pixel 7, Pixel 7 Pro, Pixel 7a, Pixel 8, Pixel 8 Pro, Pixel 8a, and Pixel Fold.
The Settings app shows your device’s Android version number, security update level, and Google Play system level. You can check for new updates by going to About phone or About device and tapping on Software updates.
However, GrapheneOS said in a post on X that CVE-2024-32896 is the same as CVE-2024-29748, and Google added a new CVE ID to track the Pixel fix for the latter.
The X post by the mobile operating system for selected Google Pixel devices continues to say that forensics companies targeted users with apps like Wasted and Sentry and that GrapheneOS reported it to get Google to fix it across Android.
The June update (Android 14 QPR3) solves the problem on Pixel devices and other Android devices, where updating to Android 15 plugs the vulnerability. However, not all patches are backported, and this is one of these fixes, so devices that don't update to Android 15 probably won't get the security patch.