VYPR
advisoryPublished Jun 2, 2026· 3 sources

Android Zero-Day Vulnerability Exploited for Full Device Control

A critical Android zero-day vulnerability, CVE-2025-48595, is actively exploited in targeted attacks, granting attackers near-complete device control without user interaction.

A critical zero-day vulnerability affecting Android devices, identified as CVE-2025-48595, is currently being exploited in targeted attacks, enabling threat actors to achieve a high level of control over compromised devices. This elevation-of-privilege flaw, discovered within the Android Framework, allows for remote exploitation without requiring any user interaction, significantly increasing its danger.

Google confirmed limited real-world exploitation of this vulnerability in its June 2026 Android Security Bulletin. The flaw's nature as a high-severity elevation-of-privilege issue means that successful exploitation can bypass core security mechanisms, granting attackers the ability to escalate their privileges and access sensitive system resources. The vulnerability impacts devices running Android versions 14, 15, and 16, including the 16 QPR2 release.

While categorized as high severity, the remote and unauthenticated nature of the exploit makes it particularly potent for targeted campaigns. In such scenarios, attackers often chain this vulnerability with other exploits to achieve full device compromise. This can include unauthorized data exfiltration, persistent surveillance, and maintaining long-term access to the device.

Google has emphasized that the most severe vulnerabilities disclosed in this bulletin could lead to remote privilege escalation without user involvement, underscoring the potential impact when platform-level defenses are circumvented. Despite Android's robust security architecture, which includes sandboxing, strict permission controls, and runtime protections, sophisticated attackers can still find ways to exploit flaws under specific conditions, especially on unpatched or outdated systems.

Android partners were notified of the vulnerability at least a month prior to public disclosure, providing them with ample time to prepare and distribute necessary patches. The security updates released with the patch level 2026-06-05 fully address CVE-2025-48595 and other related security issues. Patches for the Android Open Source Project (AOSP) are expected to be made available shortly after the bulletin's publication.

Google Play Protect remains a crucial line of defense, actively scanning applications and warning users about potentially harmful software, particularly on devices with Google Mobile Services. However, users who install applications from unofficial third-party sources, often referred to as sideloading, face a heightened risk as these channels are frequently used to distribute malicious payloads.

The Android Security Team strongly advises all users and organizations to update their devices to the latest available security patch level without delay. Delayed patch adoption is a primary enabler for threat actors to weaponize known vulnerabilities, turning them into active exploits.

This zero-day incident highlights a persistent trend in the mobile threat landscape, where attackers increasingly focus on exploiting core operating system components to maximize their impact. As exploitation techniques continue to evolve, maintaining timely patching and implementing layered security defenses are paramount for reducing exposure and preventing device compromise.

Google's June 2026 Android security bulletin details the patching of CVE-2025-48595, a zero-day vulnerability in the Android Framework that was actively exploited in targeted attacks. This flaw allowed local attackers to gain code execution and escalate privileges on devices running Android 14 or later, with indications of limited, targeted exploitation. The bulletin also addresses 17 other critical vulnerabilities across System, Framework, and Qualcomm components, though specific details on the exploitation of these remain scarce.

This new report from Help Net Security provides further details on the integer overflow vulnerability, CVE-2025-48595, within the Android Framework. It specifies that the flaw affects Android versions 14, 15, 16, and 16-qpr2, and that exploitation is local, likely requiring a malicious app to be installed. The article also notes that Google has released the corresponding source code patches to the Android Open Source Project (AOSP) repository.

Synthesized by Vypr AI