Urgent Android Update: Google Patches 107 Flaws, Two Zero-Days Under Active Attack
Google Releases December 2025 Android Security Update, Addressing Two Actively Exploited Zero-Day Vulnerabilities
CVE Identifiers
Full Report
Executive Summary
On December 1, 2025, Google released its monthly Android security update, addressing a total of 107 vulnerabilities across the ecosystem. The update is of critical importance as it contains patches for two zero-day vulnerabilities that are being actively exploited in limited, targeted attacks: CVE-2025-48633 (Information Disclosure) and CVE-2025-48572 (Elevation of Privilege). The most severe flaw fixed is CVE-2025-48631, a critical remote denial-of-service (DoS) vulnerability in the Android Framework that requires no user interaction to exploit. The patches are being delivered in two levels (2025-12-01 and 2025-12-05) and will be rolled out by device manufacturers. All Android users are strongly advised to apply the update immediately upon availability.
Vulnerability Details
The December 2025 update addresses a wide range of flaws, but three stand out due to their severity and exploitation status.
CVE-2025-48633(High, Actively Exploited): An information disclosure vulnerability in the Android Framework. Successful exploitation could allow an attacker to access sensitive information on the device. It is suspected to be used by spyware vendors.CVE-2025-48572(High, Actively Exploited): An elevation of privilege (EoP) vulnerability, also in the Android Framework. This type of flaw is often chained with other vulnerabilities (like a remote code execution bug) to gain higher-level access to the device, ultimately leading to a full compromise.CVE-2025-48631(Critical): A remote denial-of-service (DoS) vulnerability in the Framework. An unauthenticated, remote attacker could exploit this flaw to render a device unresponsive without any user interaction, making it particularly dangerous.
Other critical flaws include several EoP vulnerabilities in Protected KVM (PKVM) and IOMMU subsystems (CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, CVE-2025-48638) and two in Qualcomm components.
Affected Systems
- Android Versions: 13, 14, 15, and 16 are affected.
- Components: The vulnerabilities impact a wide range of core and third-party components, including:
Updates will be delivered by individual device manufacturers (e.g., Samsung, Pixel, etc.) as Over-the-Air (OTA) updates.
Exploitation Status
Google has confirmed there are "indications that CVE-2025-48633 and CVE-2025-48572 may be under limited, targeted exploitation." This means threat actors, likely sophisticated groups such as commercial spyware vendors, are actively using these flaws in real-world attacks. The presence of actively exploited zero-days elevates the urgency of patching to the highest level.
Impact Assessment
The impact of these vulnerabilities is severe. The actively exploited EoP and info-disclosure flaws (T1404 - Exploitation for Privilege Escalation) could be used by spyware to gain deep access to a victim's device, enabling the theft of messages, photos, location data, and microphone/camera activation. The critical remote DoS flaw (T1499 - Endpoint Denial of Service) could be used to disrupt communication for targeted individuals or potentially at a wider scale, impacting business continuity for organizations that rely on Android devices.
Cyber Observables for Detection
Detecting exploitation on-device is difficult without advanced mobile EDR solutions. However, organizations can monitor for signs of compromise.
| Type | Value / Pattern | Description | Context | Confidence |
|---|---|---|---|---|
process_name |
Unexpected processes running with root/system privileges. | An indicator of successful privilege escalation. | Mobile EDR, Forensic Analysis | medium |
network_traffic_pattern |
Connections to known spyware C2 infrastructure. | Outbound traffic from Android devices to suspicious domains or IPs. | Network Firewall, DNS Logs, Proxy Logs | medium |
log_source |
Android Debug Bridge (adb) logs |
Look for anomalous error messages or crashes related to the Framework component. | Device Logging, Mobile Device Management (MDM) | low |
Detection Methods
- Vulnerability Scanning & Asset Management: Use a Mobile Device Management (MDM) or Unified Endpoint Management (UEM) solution to query the patch level of all managed Android devices. Create dashboards to track patching progress and identify non-compliant devices.
- Network Monitoring: Monitor outbound network traffic from Android devices for connections to suspicious IP addresses or domains associated with known spyware campaigns. This is a form of D3FEND
Network Traffic Analysis. - On-Device Agent: For high-risk users, deploy a mobile threat defense (MTD) solution capable of detecting anomalous process behavior, privilege escalation attempts, and malicious application installations.
Remediation Steps
- Patch Immediately: The primary and most effective remediation is to apply the December 2025 security update. Users should check for updates on their devices via
Settings > System > System update. - Prioritize Deployment: IT administrators should use their MDM/UEM solution to push the update to all corporate-owned devices, prioritizing those used by executives, IT staff, and users in sensitive roles.
- Monitor for Updates: Since updates are rolled out by manufacturers, users should monitor announcements from their specific device vendor (e.g., Samsung, OnePlus) to know when the patch is available.
- Limit App Installation: As a general security posture improvement, advise users to only install applications from the official Google Play Store to reduce the risk of introducing malicious apps that could exploit these vulnerabilities. This aligns with MITRE Mitigation
M1033 - Limit Software Installation.
Timeline of Events
MITRE ATT&CK Mitigations
Update Software
The primary mitigation is to apply the security patches provided by Google and the device manufacturers. This directly remediates the vulnerabilities.
Mapped D3FEND Techniques:
Behavior Prevention on Endpoint
Deploy Mobile Threat Defense (MTD) solutions to monitor for and block anomalous behaviors indicative of exploitation, such as unexpected privilege escalation or information access.
Limit Software Installation
Restrict users to installing applications only from trusted repositories like the Google Play Store to reduce the attack surface.
D3FEND Defensive Countermeasures
The most critical and immediate action for all Android users and organizations is to implement D3-SU. Given that two vulnerabilities, CVE-2025-48633 and CVE-2025-48572, are actively exploited, patching is not a preventative measure but an active defense against ongoing attacks. For enterprise environments, IT administrators must leverage their Mobile Device Management (MDM) or Unified Endpoint Management (UEM) platforms to enforce the installation of the December 2025 security patch. A risk-based approach should be taken, prioritizing the devices of high-value targets such as executives, system administrators, and individuals in sensitive roles. Compliance dashboards must be monitored hourly to track the deployment progress. For individual users, enabling automatic updates is crucial. They should also be instructed to manually check for updates via 'Settings > Security & privacy > System & updates'. The existence of a critical, no-user-interaction DoS flaw (CVE-2025-48631) means that unpatched devices are at risk of being rendered useless remotely, posing a significant business continuity threat.
In a post-patch environment, or for devices where patching is delayed, Process Analysis becomes a key detection strategy. Since CVE-2025-48572 is a privilege escalation flaw, its exploitation would result in a process gaining higher privileges than it should have. Mobile Threat Defense (MTD) solutions deployed on Android devices can perform this analysis. Security teams should configure MTD policies to specifically monitor for processes related to the Android Framework that spawn child processes with elevated (e.g., system or root) permissions. Baselines of normal application behavior should be established, and any deviation should trigger a high-severity alert. For example, if a seemingly benign application suddenly attempts to access system-level resources or modify protected files, it could be an indicator that it has successfully chained an exploit for CVE-2025-48572. This technique helps detect the exploitation of the EoP flaw even if the initial entry vector is unknown, serving as a critical compensating control.
Given that the zero-days are suspected to be used by spyware, monitoring network traffic is an effective way to detect a compromised device. The goal of spyware is to exfiltrate data, which requires network communication. Organizations should route mobile device traffic through a secure gateway or proxy where it can be inspected. Using D3-NTA, security teams should monitor for anomalous patterns from Android devices. This includes connections to unknown or newly registered domains, communication over non-standard ports, or data transfers to IP addresses in countries where the organization does not operate. Since CVE-2025-48633 is an information disclosure flaw, its exploitation would likely be followed by data exfiltration. By correlating threat intelligence feeds on known spyware C2 infrastructure with their own network logs (DNS, proxy, firewall), security teams can create high-fidelity alerts for potentially compromised Android devices, enabling rapid isolation and incident response.
Sources & References
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats