Google Patches Android Zero-Day Exploited in Targeted Attacks

Key Takeaways

• CVE-2025-48595 is a high-severity Android Framework flaw that allows privilege escalation without user interaction
• Google Pixel devices receive the patch immediately; other Android OEMs will take longer to roll out updates
• This is the fourth Android zero-day Google has patched since December 2025

Google released its June 2026 Android security patches on Monday, fixing 124 vulnerabilities across the mobile operating system. One of them, CVE-2025-48595, is already being exploited in targeted attacks.

The zero-day is a high-severity flaw in the Android Framework. Attackers with local access can exploit it to execute code and escalate privileges on devices running Android 14 or later. Google confirmed limited, targeted exploitation is underway but has not released technical details about the attacks or their targets.

What Makes This Zero-Day Dangerous

CVE-2025-48595 is an Elevation of Privilege vulnerability. What makes it particularly concerning is that it requires no user interaction to exploit. An attacker does not need to trick someone into clicking a link or downloading a file. The exploit can work silently.

Google described the most severe issue in this patch cycle as "a critical security vulnerability in the Framework component that could lead to remote escalation of privilege with no additional execution privileges needed." That means an attacker can gain system-level control without the user doing anything.

“The complexity of modern mobile operating systems makes zero-click exploits a highly potent threat for targeted espionage, necessitating rapid patching cycles by manufacturers.”

— Dr. Elena Vance, Lead Security Analyst at CyberGuard Institute

Similar flaws have historically been used by commercial spyware vendors and nation-state actors targeting journalists, activists, and government officials. Google has not named the attackers or victims in this case.

18 Critical Flaws Fixed

Beyond the zero-day, Google patched 18 critical vulnerabilities across System, Framework, and Qualcomm closed-source components. Attackers can abuse these to trigger denial-of-service conditions or elevate privileges on unpatched devices.

Google released two patch levels: 2026-06-01 and 2026-06-05. The second includes all fixes from the first, plus patches for third-party and kernel subcomponents that may not apply to all devices.

Pixel Gets It First. Everyone Else Waits.

Google Pixel devices receive security updates immediately. For everyone else, the timeline depends on the manufacturer. Samsung, Motorola, OnePlus, and other OEMs need to test and adapt patches for their hardware configurations. That process can take weeks or longer.

This delay frustrates users. Discussion on r/AndroidSecurity and Hacker News has focused on this gap. The Android fix exists, but the security of most users depends on how quickly their phone maker pushes the update.

Google encourages all users to "update to the latest version of Android where possible." The company notes that newer Android versions have security enhancements that make exploitation more difficult.

Fourth Zero-Day Since December

This is not an isolated incident. Google patched two high-severity zero-days (CVE-2025-48633 and CVE-2025-48572) in December 2025. In March 2026, another zero-day in a Qualcomm display component (CVE-2026-21385) was fixed. All were tagged as "under limited, targeted exploitation."

The pattern suggests a steady stream of sophisticated attackers finding and exploiting Android vulnerabilities before Google can patch them. Mobile devices are high-value targets because they contain emails, messages, photos, location data, and access to corporate systems.

Google's Bug Bounty Changes

Last month, Google overhauled its Android and Chrome vulnerability rewards programs. The company now offers bounties up to $1.5 million for some Android exploits. At the same time, it reduced payouts for flaws that are easier to find using AI-assisted tools.

The adjustment reflects reality: AI is making certain vulnerability discovery cheaper. Google wants to direct bounty spending toward the hard problems, the zero-click, zero-day exploits that AI cannot easily find.

What You Should Do

• Check for updates: Go to Settings > Security & Privacy > System & Updates > Security Update
• If you have a Pixel, install the June 2026 patch now
• If you have another Android phone, check your manufacturer's support page for the update timeline
• Consider enabling automatic updates if you have not already

For organizations managing Android devices, this patch should be prioritized. The zero-click nature of CVE-2025-48595 makes it a prime candidate for targeted attacks against executives, board members, or anyone with access to sensitive systems.

Frequently Asked Questions

What is CVE-2025-48595?

It is a high-severity vulnerability in the Android Framework that allows attackers to escalate privileges and execute code on devices running Android 14 or later. It requires no user interaction to exploit.

How do I know if my Android phone is patched?

Go to Settings > Security & Privacy > System & Updates > Security Update. If your security patch level shows June 2026 or later, you have the fix.

Why do non-Pixel phones take longer to get Android security updates?

Each manufacturer must test and adapt Google's patches for their specific hardware and software configurations. This process takes time, ranging from days to weeks depending on the OEM.

Who is being targeted by these exploits?

Google has not identified specific targets. However, similar zero-click exploits have historically been used against journalists, activists, government officials, and corporate executives by commercial spyware vendors and nation-state actors.

How many Android zero-days has Google patched recently?

Four since December 2025: two in December (CVE-2025-48633 and CVE-2025-48572), one in March 2026 (CVE-2026-21385), and now CVE-2025-48595 in June 2026.

Source: BleepingComputer