While only US users are affected by the request, in reality every Galaxy smartphone user worldwide is affected.
The US government is urging federal employees using Samsung Galaxy devices to update their devices as soon as possible, with a deadline of August 28, or stop using them. This is reportedly due to a number of bugs that could allow potential attackers to access private data that would normally be inaccessible.
Galaxy phones have had the CVE-2024-32896 vulnerability addressed with the August update.
In June, Google listed a vulnerability in Pixel phones as CVE-2024-32896. The vulnerability was labeled “high severity,” and its patch notes said it would be subject to “limited, targeted exploitation.” The U.S. government then gave federal employees 21 days to update their Pixel devices or they would be forced to stop using them.
Now, a similar warning has been issued by the US Cybersecurity and Infrastructure Security Agency (CISA), with a deadline of August 28 for users to update their Galaxy devices. The initial warning issued by CISA only targeted Pixel phones and did not include Samsung Galaxy devices because at the time, the vulnerability, CVE-2024-32896, was said to only affect Pixel phones. However, researchers later discovered that it affects all Android phones, but the original warning was not updated to include that information.
Furthermore, the update that addressed the Galaxy phone vulnerability was only released in August, so CISA has also issued a new requirement. This August update addresses the CVE-2024-32896 vulnerability as well as fixes for several bugs that could allow privilege escalation attacks.
Pixel devices were patched for the CVE-2024-32896 vulnerability through the June update.
Essentially, the latter means that a third party could gain unauthorized access to private data on the device through some (complicated) method. For federal employees, these types of vulnerabilities can be particularly serious, even more so if their devices contain classified US government data.
According to Samsung, these bugs have been exploited in the real world under specific conditions. Following CISA’s new warning, more organizations and companies are likely to follow the federal government’s lead. As with Pixel phones, it’s unlikely that “regular” Galaxy users will be targeted by attackers using these exploits, but it’s best to keep your devices updated to protect your privacy and security.
