·  ·  · 

Android December 2025 Security Update: Google Patches 107 Flaws as CISA Confirms Two Zero‑Day Attacks — Update Your Phone Now

December 3, 2025
by
Android December 2025 Security Update: Google Patches 107 Flaws as CISA Confirms Two Zero‑Day Attacks — Update Your Phone Now

Published: December 3, 2025

Google’s latest Android security update is one of the biggest of the year, fixing 107 vulnerabilities across the mobile operating system — including two zero‑day bugs already being used in real‑world attacks. [1]

On top of Google’s own warning that the flaws are under “limited, targeted exploitation,” the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has now added both bugs to its Known Exploited Vulnerabilities (KEV) catalog, effectively confirming that attackers are actively going after unpatched Android devices. [2]

Here’s what’s in the December 2025 Android security bulletin, why the two zero‑days matter, and how to make sure your phone is protected today.

What did Google patch in the December 2025 Android security update?

Google published the Android Security Bulletin — December 2025 on December 1, 2025, with patches split across two security patch levels: 2025‑12‑01 and 2025‑12‑05. Devices with a security patch level of 2025‑12‑05 or later are protected against all 107 vulnerabilities listed in the bulletin. [3]

According to Google and multiple security write‑ups, the fixes cover: [4]

  • Framework and System components
  • The Android kernel
  • Vendor code from Arm, Imagination Technologies, MediaTek, Qualcomm, Unisoc/UNISOC and others

Within those 107 vulnerabilities, seven are rated critical, including: [5]

  • CVE‑2025‑48631 – a Framework bug that can lead to remote denial of service without any extra privileges
  • Four critical kernel elevation‑of‑privilege (EoP) flaws:
    • CVE‑2025‑48623 (pKVM)
    • CVE‑2025‑48624 (IOMMU)
    • CVE‑2025‑48637 (pKVM)
    • CVE‑2025‑48638 (pKVM)
  • Two critical vulnerabilities in Qualcomm closed‑source components:
    • CVE‑2025‑47319 – exposure of sensitive system information
    • CVE‑2025‑47372 – buffer overflow that can corrupt memory

Google says the most severe of these could enable remote denial‑of‑service attacks against affected devices, while the kernel and vendor bugs could be chained with other issues for deeper compromise. [6]

The two exploited Android zero‑days: CVE‑2025‑48633 and CVE‑2025‑48572

The headline story in this month’s update is a pair of high‑severity zero‑day vulnerabilities in the Android Framework:

  • CVE‑2025‑48633information disclosure in the Framework
  • CVE‑2025‑48572elevation of privilege in the Framework [7]

Google’s bulletin notes that there are “indications that the following may be under limited, targeted exploitation” and lists exactly these two CVEs. [8]

Security analyses shed a bit more light on what that means in practice: [9]

  • Both bugs affect Android versions 13, 14, 15 and 16, so current flagship and mid‑range phones are in scope.
  • CVE‑2025‑48572 is linked to improper input validation in Framework, allowing a local app to execute arbitrary code with elevated privileges (CVSS 7.4 reported by one tracker).
  • CVE‑2025‑48633 is believed to be another input‑validation issue that can leak sensitive system information or defeat sandboxing.
  • Google’s careful wording and past precedent around similar Framework zero‑days suggest these flaws are likely being abused in highly targeted spyware or surveillance campaigns rather than broad, opportunistic attacks.

At the time of writing, the official CVE entries for both vulnerabilities are still marked as “reserved”, meaning full technical details have not yet been published. [10]

CISA confirms active exploitation and puts Android bugs in its KEV list

On December 2, 2025, CISA added both Android Framework vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog: [11]

  • CVE‑2025‑48572 – Android Framework Privilege Escalation Vulnerability
  • CVE‑2025‑48633 – Android Framework Information Disclosure Vulnerability

Under Binding Operational Directive 22‑01, U.S. federal civilian agencies must prioritize patching all KEV‑listed issues within defined deadlines, because such bugs are known to be used in real attacks. [12]

CISA warns that these types of Framework vulnerabilities are a frequent attack vector for malicious actors and strongly urges all organizations — not just government agencies — to treat KEV entries as top‑priority patch items in their vulnerability‑management programs. [13]

For everyday users, the takeaway is simple: this is no longer a theoretical risk. At least some attackers already know how to exploit these flaws, and they’re doing it.

Which devices are affected?

The December 2025 Android security updates are officially documented for Android 13, 14, 15 and 16, covering a wide range of phones and tablets from Google and OEM partners. [14]

Key points about coverage:

  • Android versions:
    • Vulnerabilities and fixes are listed against Android 13–16 in the bulletin tables and vendor advisories. [15]
  • Patch levels:
    • Devices with security patch level 2025‑12‑01 include all fixes tied to the 12‑01 level (Framework/System portion of the update).
    • Devices with security patch level 2025‑12‑05 or later include all December 2025 fixes (all 107 vulnerabilities) and all earlier patch levels. [16]
  • Pixel phones:
    • Google’s Pixel December 2025 bulletin confirms that supported Pixel devices with 2025‑12‑05 patch level get the complete set of Android and Pixel‑specific fixes, including 33 functional bug‑fixes across audio, battery, UI, connectivity and more. [17]

If your device is stuck on an older Android version or no longer receives security updates, it will not get these patches — which significantly increases long‑term risk.

How to check if your Android phone is protected

The most important thing you can do today is verify your security patch level and apply any pending updates.

Step‑by‑step: check your Android security patch level

The exact wording varies slightly by manufacturer, but on most phones you can do this: [18]

  1. Open the Settings app.
  2. Scroll to About phone (or About device).
  3. Tap Software information, Android version, or Android update (names differ per vendor).
  4. Look for “Android security update” or “Android security patch level.”
  5. Check the date shown there.

You’re looking for:

  • At least 2025‑12‑01 – covers the first wave of December vulnerabilities, including the actively exploited Framework zero‑days.
  • Best: 2025‑12‑05 or later – covers all 107 December 2025 vulnerabilities and previous bulletins. [19]

If no update is available yet, try again later today and over the next few days — vendors often stage rollouts by region and device.

How attackers could abuse these flaws

While neither Google nor CISA has disclosed specific attack chains, public analysis offers a likely scenario for how these Framework zero‑days would be used in practice: [20]

  • Initial foothold via an app
    Attackers convince a target to install a malicious app, perhaps disguised as a chat client, productivity tool or financial app. This may come from phishing links, third‑party app stores or SMS messages.
  • Privilege escalation (CVE‑2025‑48572)
    Once installed, the malicious app exploits the privilege‑escalation flaw in the Framework to gain higher‑than‑intended permissions, potentially achieving system‑level access.
  • Information disclosure (CVE‑2025‑48633)
    The information‑disclosure flaw could be used to peek into memory or system structures, bypassing sandbox protections and leaking sensitive data that helps attackers maintain persistence or exfiltrate information.
  • Chaining with other bugs
    Combined with kernel or vendor EoP vulnerabilities, attackers could escape further OS protections, implant spyware, or silently exfiltrate messages, location data and more.

Researchers point out that this pattern mirrors recent commercial spyware campaigns targeting high‑risk users such as journalists, activists, and corporate executives — though definitive attribution for these specific bugs has not been made public. [21]

Practical security advice for everyday Android users

While the underlying technical details are complex, the defensive steps for regular users are refreshingly simple:

1. Update your phone as soon as possible

  • Go to Settings → System → System update (or your vendor’s equivalent) and manually check for updates, even if you haven’t seen a notification. [22]
  • Install any available update that brings your Android security patch level to 2025‑12‑05 or later.

2. Only install apps from trusted sources

The exploited zero‑days require a local application to trigger them, which means limiting what can run on your phone greatly reduces risk: [23]

  • Prefer the Google Play Store and well‑known vendor stores over random download sites.
  • Avoid apps pushed via SMS, email, social media DMs or QR codes.
  • Before installing finance, banking or shopping apps, double‑check the developer name, download count and reviews.

3. Audit your app permissions

Many malicious apps ask for far more access than they need:

  • Revoke unnecessary permissions, especially Accessibility, SMS, call logs, contacts, camera and location.
  • Delete apps you no longer use.

4. Consider additional protection

A reputable mobile security app can help spot malicious packages, risky URLs and suspicious behaviour that might indicate exploitation attempts. [24]

What enterprises and IT teams should do now

For organizations managing fleets of Android devices, the December 2025 update is a high‑priority emergency patching event.

Recommended actions based on Google’s bulletin, CISA’s KEV guidance and industry analysis: [25]

  1. Inventory Android endpoints
    • Use MDM/UEM tools to identify all devices running Android 13–16 and record their current security patch level.
  2. Enforce a minimum patch level
    • Define 2025‑12‑05 as the minimum acceptable Android security patch level for corporate‑managed devices, especially those with access to sensitive data.
  3. Align with CISA KEV timelines
    • Even if you’re outside the U.S. federal ecosystem, treat KEV‑listed vulnerabilities like these as must‑patch‑now issues and communicate clear internal deadlines.
  4. Harden app‑installation policies
    • Restrict or log unknown sources and side‑loading where possible.
    • Consider whitelisting only approved corporate and store apps on high‑risk user profiles.
  5. Monitor for suspicious mobile activity
    • Watch for unusual network traffic, newly installed apps with broad permissions, or EDR alerts tied to Android devices.
    • Where feasible, integrate mobile telemetry into your SIEM/SOC workflows.

FAQ: December 2025 Android security update

Is this only a Pixel issue?

No. The vulnerabilities are in Android Framework and core components, not just Google’s Pixel line. Any device running Android 13, 14, 15 or 16 that hasn’t received the December 2025 security update could be exposed. [26]

Will a Google Play system update alone fix these bugs?

No. Google explicitly notes that no security issues were addressed via Google Play system (Project Mainline) updates this month — all fixes are delivered through the Android security patch levels (2025‑12‑01 and 2025‑12‑05). [27]

How urgent is this if I’m not a “high‑value target”?

The current exploitation appears to be targeted, but history shows that techniques from elite campaigns can trickle down to broader criminal use over time. Treat this as urgent regardless of your profile — especially since updating is straightforward and low‑effort.

What if my phone no longer gets updates?

If your device is end‑of‑life and stuck on an older security patch:

  • Avoid installing new apps, especially from outside major app stores.
  • Don’t use the device for banking, work email, or sensitive communications.
  • Start planning to replace the device with one that still receives security updates.

The bottom line

As of December 3, 2025, the situation is clear:

  • Google has patched 107 Android vulnerabilities — including two Framework zero‑days already being exploited. [28]
  • CISA has confirmed these flaws are in the wild and put them on its Known Exploited Vulnerabilities list. [29]
  • Updating your phone to the 2025‑12‑05 patch level is the most effective way to protect yourself.

If you take one action after reading this, make it this: open your phone’s Settings and install the December 2025 Android security update right now.

how to update security on android phone
Watch this video on YouTube.

References

1. source.android.com, 2. securityaffairs.com, 3. source.android.com, 4. www.securityweek.com, 5. source.android.com, 6. source.android.com, 7. www.securityweek.com, 8. source.android.com, 9. www.malwarebytes.com, 10. www.cve.org, 11. securityaffairs.com, 12. securityaffairs.com, 13. thecyberexpress.com, 14. www.malwarebytes.com, 15. source.android.com, 16. source.android.com, 17. source.android.com, 18. www.malwarebytes.com, 19. source.android.com, 20. www.malwarebytes.com, 21. www.techradar.com, 22. www.malwarebytes.com, 23. www.malwarebytes.com, 24. www.malwarebytes.com, 25. source.android.com, 26. source.android.com, 27. www.securityweek.com, 28. www.securityweek.com, 29. securityaffairs.com

Mateusz Brzeziński

Technology News

No summaries found on the technology roundup post.