Google just fixed two major Pixel zero-day flaws — update your phone right now

Google Pixel 8 Pro hands-on.
(Image credit: Tom's Guide)

Google has patched two zero-day flaws that are being actively exploited to steal data from locked Pixel phones.

As reported by BleepingComputer, the first zero-day is a disclosure flaw in the Pixel’s bootloader (tracked as CVE-2024-29745) while the second is an elevation of privilege bug in the pixel firmware (tracked as CVE-2024-29748).

Both of these zero-days are rated as high-severity flaws and were discovered by security researchers at GrapheneOS which is a privacy and security-focused Android distribution. What makes these patches particularly interesting is the fact that it wasn’t hackers who were exploiting them. Instead, it was forensic firms who used them to gain unauthorized access to data stored on Google’s Pixel devices.

If you haven’t yet, now is the time to download and install this month’s Google Pixel Update to keep the best Android phones safe from snooping eyes. (It's the same update that includes some Pixel 8 camera fixes.)

Exploiting zero-days for forensics

In its latest Pixel Update Bulletin, Google explains that “there are indications” that these zero-days “may be under limited, targeted exploitation.” Even though these flaws aren’t being exploited on a wider scale, this is still cause for concern for Pixel owners.

According to a thread on X, GrapheneOS’ security researchers discovered and then reported these flaws to the search giant a few months ago. As with other high-severity zero-days, information on them wasn’t shared publicly until a patch was ready.

During its investigation into the matter, GrapheneOS discovered that forensic companies were rebooting Pixel devices in a ‘After First Unlock” state into fastboot mode in order to exploit these flaws. This makes these attacks more difficult and time consuming to pull off but doing so could be worth it for high-profile targets that prefer Pixel phones over the best iPhones. However, this would need to be done in person instead of remotely.

Fortunately, Google’s latest patches fix these issues by zeroing the memory when booting in fastboot mode and only enabling USB connectivity after the zeroing process is complete.

How to keep your Pixel phone safe 

A hand holding a phone securely logging in

(Image credit: Google)

Just like with the rest of your devices, keeping your Pixel phone updated is the best way to protect it from hackers or in this case, snooping forensic firms.

To install this latest update, Pixel users need to go to their phone’s settings menu and from there, tap on Security & Privacy then System & updates followed by Security update. Here you’ll need to tap install to apply the latest patches from Google.

When it comes to malicious apps and malware though, you want to ensure that Google Play Protect is enabled on your Pixel as this built-in app scans all of your existing apps and any new ones you download to ensure they don’t contain any malicious code. For added protection, you should also consider using one of the best Android antivirus apps alongside it though.

Zero-day flaws might sound scary at first but they’re actually just vulnerabilities that were discovered by someone other than a device or software’s manufacturer which in this case is Google. The search giant has taken action quickly though with these two flaws and if you haven’t already, you should install the latest update right now.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • AugieTN
    I just saw a govt note saying, "Google Pixel Deadline—10 Days To Update Or Stop Using Your Phone" So it was fixed with an April update?