Do Son 
Google has released the April Android security update, addressing a total of 62 vulnerabilities, including two zero-day flaws that had been actively exploited in targeted attacks. Among them is a high-severity vulnerability (CVE-2024-53197), involving a privilege escalation flaw in the USB-audio driver for ALSA devices within the Linux kernel. According to research findings, this flaw was part of an exploit chain developed by the Israeli firm Cellebrite and used by Serbian authorities to unlock confiscated Android devices.
This exploit chain had previously included vulnerabilities in the USB Video Class (CVE-2024-53104), patched in February, and in Human Interface Devices (CVE-2024-50302), addressed in March. The entire chain was uncovered in mid-2024 by Amnesty International’s Security Lab while analyzing logs from devices unlocked by Serbian police.
Google stated it was aware of these vulnerabilities in advance and distributed patches to device manufacturers as early as January. A company spokesperson confirmed that the fixes were sent to OEM partners on January 18 as part of a special security advisory.
The second zero-day flaw patched in April (CVE-2024-53150) pertains to an information leak from the Android kernel. Caused by an out-of-bounds memory read error, the vulnerability allows a local attacker to access sensitive data on a device without requiring user interaction.
In addition to these, the update addresses 60 other vulnerabilities, most of which also relate to privilege escalation and carry high severity ratings.
Google traditionally issues two levels of security updates: April 1 (2025-04-01) and April 5 (2025-04-05). The latter includes all fixes from the first tier and adds patches for closed-source components and kernel modules, which may not be relevant to all devices. Pixel smartphones receive updates immediately, while other manufacturers often delay deployment pending compatibility testing with specific hardware.
Notably, in November 2024, Google had patched another zero-day vulnerability (CVE-2024-43047), which researchers from Project Zero found being exploited by Serbian authorities. It had been used in the NoviSpy surveillance campaign targeting activists, journalists, and protest participants.
