Google disclosed a critical Android zero‑day, tracked as CVE-2025-48595, that is being actively exploited in targeted attacks.
The issue appears in the Android Framework and was documented in the Android Security Bulletin for June 2026 (published June 1). Google reports “limited, targeted exploitation,” indicating threat actors are using the flaw before broad patch adoption.
Android Zero-Day Vulnerability
The bug allows escalation of privileges remotely without any user interaction, attackers can silently gain higher permissions on a device.
Zero‑click exploitation is attractive to advanced threat actors and espionage campaigns because it leaves little forensic trace and can be executed against selected targets.
Affected devices and patches
Fixed in: Devices running the June 2026 security patch level (security patch date 2026-06-05 or later). Vendor response: Google notified Android OEM partners at least a month before public disclosure to give manufacturers time to develop and distribute updates.
AOSP: Google will publish source code patches to the Android Open Source Project (AOSP) within 48 hours of the bulletin release to enable broader remediation.
Built‑in mitigations: Android’s layered defenses sandboxing, exploit mitigations, and runtime protections reduce but do not eliminate risk.
Play Protect: Enabled by default on devices with Google Mobile Services; helps detect potentially harmful apps, particularly those from third‑party sources.
Unpatched/unsupported devices: Older Android versions and devices that no longer receive updates remain highly vulnerable because they often lack modern hardening techniques.
Data exfiltration: Access to emails, messages, contacts, location histories. Persistent surveillance: Installation of spyware that survives reboots or evades detection. System control: Execution of privileged actions, disabling security features, or establishing backdoors.
Mitigation
Users: Check Settings → About phone → Security patch level and install available system updates immediately. Administrators: Prioritize patch deployment for mobile fleets, enforce update policies, and restrict sideloading of apps.
Detection: Monitor mobile endpoints for anomalous behavior (unexpected network activity, new persistent processes, unusual permissions).
Incident response: If compromise is suspected, isolate devices, collect device logs (where possible), and follow established mobile IR procedures.
No Comment! Be the first one.