Millions at risk from actively exploited Android zero-day — update right now

 Pixel 7a held in hand
Pixel 7a held in hand

Google has patched a number of critical and high-severity flaws in its latest round of monthly security updates, including a zero-day vulnerability that is being actively exploited by hackers.

As reported by The Hacker News, the search giant has rolled out a new set of security updates for the best Android phones which patch several flaws in the Android Framework and its System component.

Of these flaws, the most concerning one is a privilege escalation vulnerability tracked as CVE-2023-35674. According to Google’s Android Security Bulletin for September 2023, there are indications that this vulnerability “may be under limited, targeted exploitation”. However, the company didn’t go into further details about how hackers are actively using the vulnerability in their attacks.

Still though, you’re going to want to update your Android phone as soon as possible to avoid falling victim to any potential attacks leveraging this flaw.

Critical and high-severity flaws patched

Besides this zero-day, Google’s latest monthly security update also fixes three other privilege escalation flaws in Framework.

The company explains in September’s Android Security Bulletin that if left unpatched, the most severe vulnerability in Framework “could lead to local escalation of privilege with no additional execution privileges needed”. Likewise, no user interaction is necessary to exploit this vulnerability.

In addition to Framework, Google also patched several critical and high-severity vulnerabilities in Android’s System component. Once again, the most severe vulnerability in System “could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed”.

All told, Google has fixed 7 flaws in Framework, 14 flaws in Android’s System module and two flaws in the operating system’s MediaProvider component which will be sent out to vulnerable Android phones through a Google Play system update.

How to keep your Android phone safe from hackers

A hand holding a phone securely logging in
A hand holding a phone securely logging in

Just like with the best laptops, the most important thing you can do to keep your Android phone safe is to install regular updates as soon as they become available. These updates contain bug fixes and other tweaks to prevent hackers from exploiting known vulnerabilities.

If your phone is no longer receiving regular security updates, then you’re going to want to have one of the best Android antivirus apps installed to protect you against threats exploiting these types of vulnerabilities. While Google Play Protect does a great job at stopping malware and malicious apps, it just doesn’t offer the same features that paid Android antivirus apps do.

At the same time, you’re going to want to avoid sideloading apps and should instead stick to official app stores like the Google Play Store, Amazon Appstore and Samsung Galaxy Store when downloading new apps. However, you should still try to limit the number of apps on your phone because even good apps can go rogue.

Google regularly updates Android with new security features and if you don’t want to miss out on them, you might consider getting a Pixel phone like the Google Pixel 7a or the upcoming Google Pixel 8 as your next smartphone. This way, you’ll be first in line for all of the latest features while also being protected with regular security updates.

More from Tom's Guide