Android
Vulnerability
Threat Guidances
May 28, 2024

Four Chrome Zero Days

Image of a Chrome icon with holes in it

Lookout Coverage and Recommendation for Admins

To ensure your devices are protected, Lookout admins should take the following steps in their Lookout console:

  • Enable the Application Vulnerability policy, which will detect when a vulnerable app version is on the device. Since there are known exploits, we suggest you set the severity to high and block user access to work data until they update the app. 
  • Lookout published coverage for CVE-2024-4671 on May 17th as MultiApp-2024-4671. Any device with vulnerable versions of Chrome (at or below 124.0.6367.170) will receive an alert if detected after that date. We will add MS Edge (at or below 124.0.2478.105) coverage as it becomes available on the Play Store.
  • The coverage for CVE-2024-4761, CVE-2024-4947, CVE-2024-5157, CVE-2024-5158, CVE-2024-5159, CVE-2024-5160 was released on May 24th as MultiApp-MultiCVE-4761-5160. This coverage will alert devices with vulnerable versions of Chrome (at or below 125.0.6422.70). Edge coverage will be added to this once patched version is available in play store. 
  • The coverage for CVE-2024-5274 will be released soon once a patched version becomes available in the play store.
  • Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that are built to exploit these vulnerabilities in order to phish credentials or deliver malicious apps to the device. 

Overview 

Google has recently disclosed a handful of new vulnerabilities in its Chrome browser as well as Chromium, which is the codebase that also supports Edge. Within the full list are eight mobile-specific vulnerabilities which include CVE-2024-4671, CVE-2024-4761, CVE-2024-4947, CVE-2024-5157, CVE-2024-5158, CVE-2024-5159, CVE-2024-5160, and CVE-2024-5274. Within that list, 4947, 4671, 4761, and 5274 are all zero-day vulnerabilities, which makes it critically important to patch as soon as possible. 

These vulnerabilities all exist in various components including the V8 JavaScript engine that powers Chromium and any browser it’s built on, Visuals, which handles rendering and display of images in web browsers, Dawn, which is a WebGPU component that enables webpages to utilize a device’s GPU, and more. Successful exploitation of many of these vulnerabilities could grant an attacker access to any data that Chrome has access to or allow them to remotely execute code on the vulnerable device. 

At the time of writing, four of these vulnerabilities (4761, 4671, 4947, and 5274) have been assigned CVSS scores of 8.8 with known exploits in the wild. They have also been flagged by CISA, which is requiring a patch date of June 3rd, 2024 for 4761 and 4671 and June 10th, 2024 for 4947.

Lookout Analysis

The most likely way for an attacker to exploit this vulnerability would be to send a maliciously crafted webpage, which makes sense since the vulnerability exists in the device’s web browser. Since this needs to be delivered to mobile device users, the attacker would send a message over SMS, email, a third-party messaging platform, or any mobile app that has a messaging feature. That message would contain a link to the malicious webpage, and with some simple social engineering the attacker could convince the victim to tap the link and kick off the exploit.

A successful exploit of one of these vulnerabilities could grant the attacker access to any data that the web browser app itself has access to. This could include permission-based data such as location, web browsing history, personal data, and sound recordings. In addition, the attacker could use these vulnerabilities to deliver phishing sites or malware to the vulnerabile device. 

As attackers modernize their tactics, exploiting widely-used vulnerable apps like Chrome by simply sending the vulnerable device a malicious web page is a quick way for them to be able to compromise a mobile device. This can be a critical vulnerability in today’s enterprise security posture, which needs to take mobile devices into account as employees access sensitive cloud data from their smartphones and tablets more frequently than they do from desktops and laptops.

Authors

Lookout

Cloud & Endpoint Security

Lookout, Inc. is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack. Data is at the core of every organization, and our approach to cybersecurity is designed to protect that data within today’s evolving threat landscape no matter where or how it moves.

Platform(s) Affected
Android
Threat Type
Vulnerability
Entry Type
Threat Guidances
Platform(s) Affected
Android
Vulnerability
Threat Guidances

Related Content

Four Chrome Zero Days

Google recently disclosed eight new mobile vulnerabilities in Chrome including four zero-days

Read Threat Article

BancaMarStealer

A customizable Malware-as-a-Service banking trojan delivered through any app with messaging capabilities.

Read Threat Article

Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy

Researchers at the Lookout Threat Lab have discovered a new Android surveillance tied to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Read Threat Article
A woman using her phone and laptop on a train ride.

Lookout Mobile Endpoint Security

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Advanced mobile Endpoint Detection & Response powered by data from 185M+ apps and 200M+ devices on iOS, Android, ChromeOS.

Try Lookout for Free Today
Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell