Google has patched two zero-day flaws that are being exploited to steal data from locked Pixel phones.

As reported by BleepingComputer, the first zero-day is an information leak flaw in the Pixel bootloader (tracked as CVE-2024-29745) and the second is a privilege escalation bug in the Pixel firmware (CVE- tracked as 2024-29748).

Both of these zero days are rated as high severity flaws and were discovered by security researchers at GrapheneOS, an Android distribution focused on privacy and security. What makes these patches particularly interesting is the fact that it was not hackers who exploited them. Instead, it was a forensic firm that used the patches to gain unauthorized access to data stored on Google's Pixel devices.

If you haven't already, now is the time to download and install this month's Google Pixel Update and keep your best Android phone safe from prying eyes. (In the latest Pixel Update Bulletin, Google explains that there are "indications" that these zero-day "may be subject to limited and targeted exploits. Even if these flaws are not being exploited on a large scale, they are still a concern for Pixel owners.

According to the X thread, security researchers at GrapheneOS discovered these flaws several months ago and reported them to the search giant. As with other high-severity zero-day incidents, the information was not made public until a patch was ready.

While investigating the issue, GrapheneOS discovered that forensic firms were rebooting Pixel devices into fastboot mode in an "After First Unlock" state to exploit these flaws. This makes these attacks more difficult and time consuming to pull off, but may be worth doing so for prominent targets who prefer Pixel phones over the best iPhones. However, this must be done directly, not remotely.

Fortunately, Google's latest patch fixes these problems by zeroing memory when booting in fastboot mode and enabling USB connection only after the zeroing process is complete.

As with any other device, keeping your Pixel phone updated is the best way to protect it from hackers and, in this case, forensic companies who will steal it.

To install this latest update, Pixel users need to go to their phone's settings menu and from there tap Security and Privacy, then System and Updates, then Security Update. Here they need to tap Install and apply the latest patch from Google.

For malicious apps and malware, you want to make sure that Google Play Protect is enabled on your Pixel. For additional protection, you should also consider using one of the best Android antivirus apps with it.

Zero-day flaws may sound scary at first, but they are actually vulnerabilities discovered by someone other than the manufacturer of the device or software, in this case Google. However, search giant Google has been quick to address both flaws, and those who haven't should install the latest updates now.