Google patches 107 Android flaws, including two being actively exploited

Google has patched 107 vulnerabilities in Android in its December 2025 Android Security Bulletin, including two high-severity flaws that are being actively exploited.

The December updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, but that doesn’t always mean the patches reach every device right away.

You can check your device’s Android version, security update level, and Google Play system update in Settings. You should get a notification when updates are ready for you, but you can also check for them yourself.

For most phones, go to About phone or About device, then tap Software updates to see if anything new is available for your device, although there may be slight differences based on the brand, type, and Android version you’re on.

If your Android phone shows a patch level of 2025-12-05 or later, these issues are fixed.

Keeping your device up to date protects you from known vulnerabilities and helps you stay safe.

Technical details

The two actively exploited vulnerabilities were found in the Android application framework layer. This is the set of core Java/Kotlin APIs, system services, and components that apps are built on top of.

The Android framework is a large collection of prebuilt classes, interfaces, and services that provide higher‑level access to operating system (OS) functionality such as activities, views, notifications, storage, networking, sensors, and so on. App code calls these framework APIs, which in turn talk to lower layers like system services, native libraries, and the kernel.

The vulnerabilities that are under limited, targeted active exploitation are tracked as:

• CVE-2025-48633: Details are limited. There’s no published CVSS score yet to indicate the threat level, let alone how easy it is to exploit. All Google revealed is that the flaw was found in the Framework layer and that it rated it as a “High severity” flaw. One source suggests it stems from improper input validation that could let a local application gain access to sensitive information.

• CVE-2025-48572 (CVSS score 7.4 out of 10): The vulnerability exists due to improper input validation within the Framework component. A local application can execute arbitrary code.

How to stay safe

From the available information, attackers would need to trick a user into installing a malicious app that could then access sensitive data and run code on the device.

Which is another good reason to follow these safety precautions:

• Only install apps from official app stores whenever possible and avoid installing apps promoted in links in SMS, email, or messaging apps.
• Before installing finance‑related or retailer apps, verify the developer name, number of downloads, and user reviews rather than trusting a single promotional link.
• Protect your devices. Use an up-to-date real-time anti-malware solution like Malwarebytes for Android, which already detects this malware.
• Scrutinize permissions. Does an app really need the permissions it’s requesting to do the job you want it to do? Especially if it asks for accessibility, SMS, or camera access.
• Keep Android, Google Play services, and all important apps up to date so you get the latest security fixes.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

About the author

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.