Google has patched two zero-day vulnerabilities in Android that were under active exploitation, according to the December 2025 Android Security Bulletin.
These flaws, tracked as CVE-2025-48633 and CVE-2025-48572, were flagged as being used in targeted attacks in the wild.
The vulnerabilities were fixed as part of the security patches dated 2025-12-01 and 2025-12-05, which are now being rolled out to eligible Android devices. While Google did not disclose the technical specifics of these exploits, likely to prevent further abuse, both are rated high in severity and affect Android versions 13 through 16.
The flaws were discovered internally, as indicated by their Android bug IDs, and are categorized as information disclosure and elevation of privilege vulnerabilities, respectively. The bulletin notes signs of limited, targeted exploitation, a phrase typically used by Google when zero-days are found being leveraged in spyware operations or state-sponsored surveillance campaigns.
While Google does not name threat actors or detail attack chains in the bulletin, similar zero-days in the past have been exploited by commercial spyware vendors such as NSO Group, Candiru, and Intellexa, who sell tools capable of compromising Android phones via apps, SMS payloads, or silent background processes. Elevation of privilege (EoP) vulnerabilities, like CVE-2025-48572, are particularly useful in these attacks to gain deeper access after an initial foothold, while information disclosure flaws, such as CVE-2025-48633, are often used to leak sensitive system memory or defeat sandboxing protections.
These issues were resolved alongside over a hundred other vulnerabilities in various components, including the Android Framework, System, and Kernel. The most critical bug fixed in this bulletin (CVE-2025-48631) is a remote denial-of-service vulnerability in the Framework component that could disrupt device functionality without requiring elevated privileges.
Android, developed by Google and the world’s most widely deployed mobile operating system, uses a layered approach to security. Devices running Android 10 and later benefit from security updates delivered through both monthly system patches and Google Play system updates (Project Mainline). However, timely patching still largely depends on device manufacturers and carriers, meaning some users may not receive updates for weeks or months.
Google also relies on Google Play Protect, a suite of runtime protections and app scanning mechanisms active by default on devices with Google Mobile Services. Play Protect helps detect potentially harmful applications (PHAs), especially those installed from outside the Play Store.
Users should immediately apply the latest security patches (2025-12-05 or later) once they become available for their device model, avoid sideloading apps or installing APKs from untrusted sources, and enable Google Play Protect and ensure it remains active.
Leave a Reply