Google's latest Android patch update has arrived packed with new features and, above all, serious security warnings. The company has fixed 107 vulnerabilities in a single monthly update, a considerable volume that confirms the extent to which the most used mobile ecosystem on the planet is in the crosshairs of attackers and espionage groups.
Beyond the number, what is truly worrying are some of the bugs that were fixed. Two zero-day vulnerabilities in the Android framework have already been exploited in a limited and targeted wayThis aligns with highly targeted surveillance campaigns, possibly linked to commercial spyware or actors with significant resources. If you have a relatively recent Android mobileThis update directly affects you.
What has Google fixed in the December update
In its December security bulletin, Google details that 107 vulnerabilities have been fixed across the framework, system, kernel and closed-source third-party componentsThese components belong to manufacturers such as Arm, MediaTek, Qualcomm, Imagination Technologies, and Unison, among others, who provide key hardware and software components for Android mobiles.
As usual, Google has organized the patches into two different update levels, dated as 2025-12-01 y 2025-12-05This scheme allows device manufacturers to apply the most common fixes more quickly, while preparing the rest of the specific fixes for their models.
In practice, if your phone shows a security patch level of 2025-12-05 or higherThis means that it includes solutions to all the vulnerabilities described in the December bulletin. Until that point, you may still be exposed to some vulnerabilities, especially the most recent or serious ones. It is advisable to Optimize Android before updating to reduce problems during the process.
The failures cover all types of impacts, from disclosure of sensitive information and elevation of privileges These vulnerabilities can even trigger a remote denial-of-service (DoS) attack. Some require user interaction or the installation of malicious apps; others, however, can be exploited remotely without any additional permissions.
Google also points out that mobile phone manufacturers receive information about these vulnerabilities. at least one month before the newsletter is publishedHowever, this does not guarantee that all models will receive the patch at the same time, or even that they will receive it at all, especially in low-end or very old devices that have already fallen outside the official update cycle.
Two zero-day exploits in the Android framework
Within this December update, two zero-day vulnerabilities stand out in particular: They were already being used in real attacks before they were made publicBoth reside in the Android framework, that is, in the layer of APIs, system services and components on which virtually all applications are built.
The framework is a crucial part of the operating system because It provides the classes and services that allow apps to interact with the other layers of Android.This layer handles activities, views, notifications, storage access, network, sensors, and many other functions. Any vulnerability in this layer has enormous potential repercussions, as it can be exploited by a seemingly legitimate app to gain undue access.
Google has confirmed that these two vulnerabilities, categorized as CVE-2025-48633 and CVE-2025-48572They have been used in limited and targeted attacks. The company speaks of “limited and segmented exploitation,” an expression often associated with espionage operations focused on very specific targetsrather than with massive malware campaigns.
Various sources within the cybersecurity community indicate that these types of flaws fit very well with the way in which [the system] operates. commercial spyware providers such as NSO Group, Candiru, or Intellexa, who have historically exploited zero-day vulnerabilities in mobile platforms to monitor journalists, activists, or high-profile personnel.
The first mistake, CVE-2025-48633, has been described as a vulnerability of disclosure of information in the frameworkAlthough Google has not yet published an in-depth technical analysis or a definitive CVSS score, everything suggests that it could allow an application with limited permissions to access sensitive data in memory or internal system information that, under normal conditions, should be protected.
The second vulnerability, CVE-2025-48572, is classified as a failure of privilege escalation in the frameworkAccording to some technical analyses, it originates from incorrect input validation within a framework component, which would enable a locally installed app to execute arbitrary code with higher permissions, with an impact rated at 7,4 out of 10 on a CVSS scale.
The combination of a privilege escalation vulnerability with an information leak vulnerability is especially dangerous because It allows both failures to be chained together in an exploitation chain.First, useful information is obtained to bypass protections, and then the access level is increased to take deeper control of the device.
Scope of the failures and espionage campaigns
Google has indicated that these two vulnerabilities affect Android 13, 14, 15 and 16That is, a significant portion of the active device fleet. The fact that these are modern versions confirms that we are not talking about obsolete systems, but rather current terminals, many of them still in their main support lifecycle.
The company's own language refers to a "limited and specific exploit," a formula that, according to experts cited by cybersecurity media, Google typically uses this when it detects that zero-day exploits are being used in discreet surveillance operations.often backed by states or by companies that sell intrusion tools to the highest bidder.
In the past, groups of this type have been seen exploiting similar vulnerabilities in Android and iOS to infect phones with advanced spywarecapable of accessing messages, calls, location, microphone or camera without the user having any indication of what is happening.
The United States cybersecurity agency, the CISA (Cybersecurity and Infrastructure Security Agency), has reacted quickly by including both CVE-2025-48572 and CVE-2025-48633 in its catalog of known exploited vulnerabilities (KEV). This means that, for civilian federal agencies in that country, It is mandatory to apply the patches before a specific deadline, in this case December 23, 2025.
This addition to the KEV catalog is a clear sign that the authorities consider these faults as active risks, not merely theoretical onesThe affected agencies are required to update their Android devices or take compensatory measures, such as removing from service those models that cannot be updated.
Other critical vulnerabilities: denial of service and kernel
Although the two zero-days grab the headlines, they are not the only serious vulnerabilities addressed in this bulletin. Google has also patched a critical vulnerability identified as CVE-2025-48631 in the Android framework, capable of causing a remote denial of service (DoS) without requiring additional execution permissions.
A remote denial of service attack may not sound as flashy as a privilege escalation, but can render a device temporarily unusableThis can cause the system to restart in a loop or lead to the failure of essential services. In corporate contexts or critical infrastructure, these types of attacks can have a significant operational impact.
The bulletin also reflects four additional critical vulnerabilities in the Android kernel, associated with the references CVE-2025-48623, CVE-2025-48624, CVE-2025-48637 and CVE-2025-48638. All of them are considered privilege escalation vulnerabilities, meaning they could allow an attacker with limited access to the system gain almost total control of the device.
The kernel is the central piece of the operating system: it manages memory, processes, hardware access, and internal communications. A kernel exploit typically gives attackers enormous powerbecause it allows them to escape the restrictions that normal applications have and operate with system privileges.
These fixes come just months after Google resolved two more vulnerabilities that were being exploited in natureOne vulnerability was found in the Linux kernel (CVE-2025-38352, with a CVSS score of 7,4), and the other in the Android Runtime (CVE-2025-48543, also with a score of 7,4). In both cases, the end result was the ability to escalate privileges locally.
This pattern of chained patches makes it clear that The attackers have long been focusing their efforts on very deep parts of the systemnot only in the surface layers like the browser or apps. Flaws in the kernel, runtime, and framework allow for highly sophisticated intrusion campaigns that are difficult for the average user to detect.
How to know if your mobile phone is protected
If you use an Android device and are concerned about this flood of vulnerabilities, the first step is to check your system patch level and version. You can do this from your phone's settings, in the device information and software updates sections.However, the specific route may vary slightly depending on the manufacturer and the customization layer.
On most mobile phones, the standard path is usually to go to Settings > About phone (or About device) and, within that menu, look for the section of Software update or system updatesThere you will see both the installed Android version and the security patch level, and in some cases, the Google Play system version.
If that section shows a patch level equal to or higher than 2025-12-05This means you already have the fixes for all vulnerabilities included in the December bulletin, including exploited zero-days. If the date is earlier, you still need to receive some of the patches.
Your phone should show an automatic notification when an update is available, but if you haven't updated in a while or have postponed several notificationsIt's best to manually go to the updates section and click the search or download button. In many cases, simply being connected to a Wi-Fi network and having enough battery power to start the process is sufficient. And, if you need to troubleshoot problems, learn how to access fault logs for more details.
It's worth remembering that, even if Google publishes the bulletin and makes the patches available to manufacturers, The brands are responsible for packaging and distributing the updates to each model.This means that the speed and frequency of patches can vary greatly between a recent high-end model and an entry-level model that is several years old.
Best practices to prevent attacks even when vulnerabilities exist
Even when the system is kept up to date, attackers often look for additional entry points, taking advantage of user oversights. Installing malicious applications is one of the most common entry points.especially when downloaded from unreliable sources or via links received through messaging apps. That's why it can be useful block app installation on your device.
A basic recommendation is Limit app installations to official stores (such as Google Play or the manufacturer's own app store) whenever possible. This doesn't guarantee 100% that a malicious app won't slip through, but it greatly reduces the risk compared to directly downloading APKs from unknown websites.
Before installing sensitive applications, such as banking apps, cryptocurrency wallets, or e-commerce platforms, it's worth taking the necessary precautions. Carefully review the developer's name, the number of downloads, and reviews from other users.Being wary of a single promotional link that arrives via SMS, email or messaging and manually searching for the app in the store is a small gesture that can prevent many unpleasant surprises.
It is also recommended monitor the permissions requested by each applicationIf a flashlight app requests access to SMS messages, contacts, or the camera, something's not right. Particularly sensitive permissions like accessibility, access to messages, calls, or microphone should be granted with extreme caution, only to apps you fully trust.
As an extra layer of protection, a mobile security solution can be helpful. Reputable security tools, such as those from companies specializing in antimalware, They are capable of detecting suspicious behavior, malicious applications, and dangerous connections.They are not a magic solution, but they do provide additional help against threats that exploit vulnerabilities in the system or apps.
The role of Google, manufacturers, and users
The release of a security bulletin with over one hundred fixed vulnerabilities reflects both the magnitude of current attacks and the responsiveness of the Android ecosystem. Google coordinates vulnerability research, develops patches, and distributes them to manufacturers.However, the time it takes for them to reach each user still depends on multiple factors.
Device manufacturers have to adapt and test the patches on your customization layersThis involves integrating them with third-party drivers (such as those for Qualcomm, MediaTek, or Arm chips) and ensuring that the update doesn't break key functions. This process can be relatively quick on high-end devices from leading brands and much slower, or nonexistent, on budget devices.
For their part, users play a crucial role in Do not postpone updates indefinitelyIt's tempting to ignore the "a new version is available" notification for fear of interface changes or slower performance, but when it comes to security patches, the risk of falling behind is much greater than the occasional inconvenience of installation.
Alongside these monthly updates, Google also pushes fixes through Google Play System UpdateThis allows for patching certain components without relying so heavily on manufacturers. However, not everything can be fixed this way, and many of the issues described in this bulletin still require a complete system update.
The security of an Android device is the result of three gears: the work of Google and the researchers, the commitment of the manufacturers, and the attitude of the user himselfWhen any of those gears fail, gaps open up that attackers are quick to exploit.
This entire deluge of patches in December demonstrates that, although the Android ecosystem is complex and there will always be vulnerabilities, Keep your mobile device updated, install only trusted apps, check permissions, and pay attention to official alerts. It remains the best combination for traveling more peacefully through the digital world, even knowing that espionage groups and cybercriminals will not stop looking for new holes to exploit.
