Google’s April 2025 Android Security Bulletin addresses 60 vulnerabilities across system components, the Linux kernel, and third-party hardware drivers, including two high-severity zero-days that have been actively exploited in targeted surveillance operations.
One of the patched flaws, CVE-2024-53197, was part of a Cellebrite-enabled attack used by Serbian authorities to compromise the phone of a student activist, as previously uncovered by Amnesty International.
CVE-2024-53150 and CVE-2024-53197 were flagged by Google as potentially exploited in the wild, with both tied to flaws in USB driver subsystems of the Linux kernel.
Exploited in the wild: Cellebrite-linked USB flaws
CVE-2024-53197 affects the Advanced Linux Sound Architecture (ALSA) USB audio driver and allows for memory corruption that could lead to local privilege escalation. As detailed in a February 2025 investigation by Amnesty International’s Security Lab, this vulnerability was part of a broader exploit chain used to gain unauthorized access to an Android device belonging to “Vedran,” a student activist detained during protests in Serbia.
The exploit leveraged multiple kernel-level flaws in Android’s USB subsystem, including CVE-2024-53197 and an earlier patched issue, CVE-2024-53104, which affected the USB Video Class driver. Amnesty’s analysis confirmed that Cellebrite’s UFED tool was used to emulate USB devices and bypass the phone’s lock screen. The attack chain culminated in root access, followed by the attempted installation of spyware. Google’s Threat Analysis Group later confirmed the authenticity and real-world exploitation of the vulnerabilities.
The broader implications of these flaws are significant, as they affect core Linux kernel drivers, meaning Linux-based systems beyond Android may also be vulnerable if not patched.
Other critical vulnerabilities patched
Aside from the actively exploited flaws, the bulletin highlights several critical vulnerabilities that could lead to remote or local privilege escalation without requiring user interaction. The most severe is CVE-2025-26416, a remote escalation of privilege (EoP) vulnerability in the Android System component that does not require user interaction or additional execution privileges. If exploited, it could allow an attacker to take control of a device remotely, bypassing standard platform protections.
Another critical flaw, CVE-2025-22423, is a denial-of-service (DoS) issue in the System component, which could be used to crash or destabilize targeted devices.
Google’s April 2025 bulletin includes security fixes spanning:
- Framework and System: Multiple EoP and information disclosure bugs fixed in Android versions 13 to 15.
- Kernel Subsystems: High-severity issues in the USB, Binder, and networking modules of the Linux kernel.
- Project Mainline Modules: Updates pushed via Google Play for components like Documents UI and MediaProvider.
- Third-Party Vendors: Patches addressing vulnerabilities in components from Arm (Mali), Imagination Technologies (PowerVR GPUs), MediaTek (Keymaster, vdec), and Qualcomm (WLAN, bootloader, closed-source drivers). A particularly notable case was a critical vulnerability (CVE-2024-45551) in Qualcomm components. These drivers are often used in a wide range of Android smartphones, increasing the scope of potential exploitation.
Update your Android devices
Google notes that exploitation of many of these vulnerabilities is mitigated by platform-level protections, such as memory tagging and stricter USB access controls introduced in recent Android versions. However, devices without regular updates or with disabled security features remain at risk.
Users should ensure devices are updated to at least the 2025-04-05 patch level, by going to Settings > Security & privacy > System & updates > Security update. Additionally, restrict USB debugging and limit USB connections on locked devices. It is also recommended to regularly check for unknown apps and logs indicating USB access.
Google plans to introduce a new mode in the upcoming Android 16 release, called ‘Advanced Protection,’ which is poised to offer enhanced protection against spyware and surveillance-ware, as well as unauthorized physical access.
Leave a Reply