Google Confirms Android Attacks—No Fix For 1 Billion Phones

Do you need a new phone?

getty

Republished on September 6 with a new update deadline for government staff following Google’s confirmation that attacks on Android phones are now underway.

Google has issued a critical warning for all Android users, confirming that two separate vulnerabilities have been exploited in the wild. Such is the seriousness of its security update this month, that Google will quickly fix all eligible Pixel devices.

The two high-severity vulnerabilities that have been exploited — CVE-2025-38352 and CVE-2025-48543 — affect the Android Kernel and Android Runtime respectively. As ever, Google has not issued any material detail at this early stage.

Forbes250 Million Personal Identities Exposed In ‘Massive Data Leak’By Zak Doffman

There are also four other critical fixes — CVE-2025-48539, CVE-2025-21450, CVE-2025-21483 and CVE-2025-27034. The first is an Android System issue, whilst the other three relate to Qualcomm chipsets and the release of manufacturer fixes.

Google says CVE-2025-48543 and CVE-2025-38352 are deeply concerning, and both “could lead to local escalation of privilege with no additional execution privileges needed.” More alarmingly, “user interaction is not needed for exploitation.”

Whilst Pixels will be updated immediately, other OEMs will receive code patches “in the next 48 hours” and will need to update their own monthly bulletins and firmware releases. You can expect the usual deployment schedule over the coming weeks.

A timely reminder that only devices still eligible for monthly security updates will receive these fixes. Upwards of a billion Android phones are no longer on any form of support contract, and many are running versions of Android that can’t be updated.

This is exactly why owners of these older devices are urged to upgrade their phones if they can’t update their software. Until you do, your data and your device are at risk.

As Zimperium warns, “a significant percentage (25.3%) of devices are not upgradeable due to the device’s age.” And delayed updates makes that problem worse. “At any given point in the year, over 50% of mobile devices are running outdated OS versions, and a significant number are compromised or infected.”

America’s cyber defense agency added both Android security threats to its Known Exploited Vulnerability (KEV) catalog on September 4. Federal staff have until September 25 to update or stop using their Android devices. Clearly, in the unlikely event any devices that can’t be updated are still in use by federal agency staff, those will need to be upgraded to new hardware by the deadline date.

ForbesMillions Of iPhone And Android Users Get Surprise RefundsBy Zak Doffman

CVE-2025-38352 is a Linux kernel “time-of-check time-of-use race condition vulnerability that has a high impact on confidentiality, integrity, and availability,” CISA says. While CVE-2025-48543 is an “Android Runtime Use-After-Free Vulnerability,” which “potentially allows a chrome sandbox escape leading to local privilege escalation.”

While CISA’s update mandate is for federal staff only, its guidance is much broader. The agency and its KEV catalog operate “for the benefit of the cybersecurity community and network defenders” across both the public and private sector.