Google releases April 2025 Android security update fixing 62 flaws Including two actively exploited
Take action: Again, two actively exploited and multiple critical flaws patched in this release. Plan to update your Android OS as soon as your vendor releases an update for your phone. Depending on the vendor you might wait for some weeks/months before the update is released for your phone. In the meantime, make sure to turn off your mobile phone before handing it over to authorities - the exploited flaws don't work on first boot of the phone.
Learn More
Google has released its April 2025 Android Security Bulletin addressing a total of 62 vulnerabilities, including two zero-day flaws that were being actively exploited in targeted attacks.
Actively exploited flaws
- CVE-2024-53197 (CVSS score 7.8): A high-severity privilege escalation vulnerability in the Linux kernel's USB-audio driver for ALSA devices. This flaw was reportedly exploited by Serbian authorities to unlock confiscated Android devices using a zero-day exploit chain developed by Cellebrite, an Israeli digital forensics company. According to Amnesty International's Security Lab, this exploit was used against a youth activist in Serbia.
- CVE-2024-53150 (CVSS score 7.1): A high-severity information disclosure vulnerability in the Android Kernel caused by an out-of-bounds read weakness. This flaw allows local attackers with access to a device to obtain sensitive information without any user interaction.
The April 2025 security update is divided into two patch levels (2025-04-01 and 2025-04-05), containing fixes for:
- Critical vulnerabilities (per Google advisory):
- CVE-2025-22429 (CVSS score 7.4): Information disclosure vulnerability in Framework
- CVE-2025-26416 (CVSS score not assigned): Remote escalation of privilege in System component
- CVE-2025-22423 (CVSS score not assigned): Denial of service in System component
- CVE-2024-45551 (CVSS score 6.2): Critical vulnerability in Qualcomm closed-source component
- 58 High-severity vulnerabilities affecting various components:
- Framework (13 vulnerabilities)
- System (13 vulnerabilities)
- Kernel (4 vulnerabilities)
- Arm components (1 vulnerability)
- Imagination Technologies PowerVR-GPU (9 vulnerabilities)
- MediaTek components (4 vulnerabilities: CVE-2025-20655, CVE-2025-20656, CVE-2025-20657, CVE-2025-20658)
- Qualcomm components (8 vulnerabilities)
- Qualcomm closed-source components (5 vulnerabilities)
Google informed that these security fixes were shared with OEM partners in January 2025, approximately three months before public disclosure. Google's own Pixel devices will receive these updates immediately, while users of phones from other manufacturers like Samsung, OnePlus, and Motorola may need to wait for their respective vendors to test and implement the patches.
Source code patches for these vulnerabilities will be released to the Android Open Source Project (AOSP) repository within 48 hours of the bulletin's publication.
