Google has patched 6 vulnerabilities in Android including two critical ones, one of which can compromise a device without the user needing to do anything.

Google has patched six vulnerabilities in Android, including two critical vulnerabilities in its August 2025 Android Security Bulletin. It also covers a critical vulnerability which could have allowed an attacker to execute code on a victim’s device without the victim needing to do anything at all.

Last month, Google skipped its monthly security update for the first time in almost ten years. Normally we’ll see dozens of vulnerabilities addressed each month so the skipping was both welcome and slightly worrying. All this while Google reported that its Artificial Intelligence (AI) Big Sleep system found 20 vulnerabilities in several open-source software.

The August updates are available for Android 13, 14, 15, and 16. Android vendors are notified of all issues at least a month before publication, however, this doesn’t always mean that the patches are available for all devices immediately.

You can find your device’s Android version number, security update level, and Google Play system level in your Settings app. You’ll get notifications when updates are available for you, but you can also check for them yourself.

For most phones it works like this: Under **About phone** or **About device** you can tap on **Software updates** to check if there are new updates available for your device, although there may be slight differences based on the brand, type, and Android version of your device.

If your Android phone shows patch level 2025-08-05 or later then you can consider the issues as fixed.

Keeping your device as up to date as possible protects you from known vulnerabilities and helps you to stay safe.

**Technical information**

The critical RCE vulnerability is tracked as CVE-2025-48530: a vulnerability in the Android System which could lead to remote code execution in combination with other bugs, with no additional execution privileges needed. User interaction is not needed for exploitation. This makes it a top priority patch–which only affects Android version 16–since it poses the risk of attackers being able to compromise affected devices silently.

The other critical vulnerability is tracked as CVE-2025-21479: unauthorized command execution in GPU micronode can cause memory corruption while executing specific sequence of commands.

A GPU micronode, is a small, specialized part within the Graphics Processing Unit (GPU) that handles specific tasks related to processing and rendering graphics on the Android device. It’s a critical component for making the visuals work smoothly and correctly.

Researchers recently discovered serious vulnerabilities in the GPU micronode of Qualcomm’s Adreno GPUs, which power billions of Android devices. Qualcomm has identified three such vulnerabilities and this patch fixes the second one they warned about.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Critical Android vulnerabilities patched—update as soon as you can 

Google has released security updates to address multiple security flaws in Android, including fixes for two Qualcomm bugs that were flagged as actively exploited in the wild.
The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6), by the chipmaker back in June 2025.
CVE-2025-21479

Google’s August Patch Fixes Two Qualcomm Vulnerabilities Exploited in the Wild

Receiving an unexpected package in the post is not always a pleasant surprise.

Receiving an unexpected package in the post is not always a pleasant surprise. The FBI has warned the public about unsolicited packages containing a QR code which leads to a website aimed at stealing personal data or downloading malware to the victim’s device.

The packages are often shipped without sender information, only the QR code. This is a deliberate tactic of the cybercriminals who hope that the lack of information will encourage more people to scan the code.

These packages are a modern variant of brushing scams. In brushing scams, vendors send packages containing merchandise to unsuspecting recipients, and then use the recipient’s information to post positive reviews about their products or business.

The use of QR codes is the new element in this scam. Using QR codes in items sent in the post offers the criminals a few advantages. Firstly, people may not expect to end up with their device infected by something as non-technical as a physical letter. Secondly, QR codes are typically read by mobile devices, which—unfortunately—still get overlooked when it comes to installing security software.

As we reported in our “Tap. Swipe. Scam” mobile scam report, 66% of people have scanned a QR code to purchase something. With legitimate businesses employing the use of QR codes, it’s something people are becoming very used to doing.

What many people don’t realize, or remember too late, is that scanning a QR code without the proper safety measures is like clicking a link, with one caveat. With links, we can actually check where they are leading to before we click. However, with QR codes it’s impossible for most people to discern a malicious code from a legitimate one.

**How to protect yourself from brushing scams**

*   If you receive a package you didn’t order and it contains a QR code, do not scan it. Scanning can lead you to fake websites designed to steal your personal or financial information, or even install malware on your device.
*   Legitimate businesses almost always include a return address. Treat any mystery package without sender or return information with extra caution.
*   If you end up on a site asking for personal or financial information after scanning a QR code, do not enter that information. In the hands of scammers it can be used to defraud you.
*   Make sure your device is on the most up to date version. Cybercriminals will take advantage of recently discovered vulnerabilities that people are yet to update and protect themselves against.
*   When scanning QR codes use an app that displays the URL before opening the link. This makes it easier to establish whether it’s safe to follow the link.
*   Use up-to-date and active mobile protection, preferably one that includes web protection.
*   Use two-factor authentication (2FA) wherever you can to make it harder for scammers to access your accounts if they do get hold of your login details.
*   Secure your identity. If your information appears to have been used for a scam, consider freezing your credit, changing passwords, and monitoring bank and online accounts for suspicious activity. Or consider using Identity Theft Protection.
*   Report any brushing scams to the FBI at ic3.gov. Be sure to include as much information as possible, such as the name of the person or company that contacted you; the methods of communication used, including websites, emails, and telephone numbers; and any applications you may have downloaded or provided permissions to on your device.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Unexpected snail mail packages are being sent with scammy QR codes, warns FBI 

Cybersecurity researchers have discovered a nascent Android remote access trojan (RAT) called PlayPraetor that has infected more than 11,000 devices, primarily across Portugal, Spain, France, Morocco, Peru, and Hong Kong.
"The botnet's rapid growth, which now exceeds 2,000 new infections per week, is driven by aggressive campaigns focusing on Spanish and French speakers, indicating a strategic

PlayPraetor Android Trojan Infects 11,000+ Devices via Fake Google Play Pages and Meta Ads

An Ohio man lost $27,000 after an Apple ID scam text hit his phone. The strangest part? It happened at his doorstep.

You’ve probably heard about people scamming from halfway around the world, but sometimes they turn up at your door.

That’s what happened in May, when 67 year-old Robert Wise of Ohio received a text telling him that his Apple ID had been compromised. It had been used at an Apple store for a $213 purchase, the text message said.

The scam text received by Robert Wise, as shown to 10 WBNS

After calling the number on the phone, a man identifying himself as John Cooper said that thieves had racked up a total of $27,000 in charges in his name. Unless Wise withdrew $27,000 from his account immediately, it would be drained, the man said.

As you’ve probably already guessed, there had been no $27,000 theft. At least, not yet. According to local news reports, the man at the other end of the line tried to get Wise to deposit the money into a bitcoin machine to send him the funds.

Robert Wise speaks to 10 WBNS

When Wise tried and failed to do that, the crook said he’d send someone to collect the money in person. This is where 42 year-old Liwei Zhang turned up at the victim’s door and Wise handed the money over.

All might have been well save for the thief’s greed. Zhang arranged to come back and collect more money from Wise, who by this time had finally grown suspicious and called the sheriff. The sheriff told Wise to keep the criminal engaged and they managed to catch the thief at the scene.

Zhang, a Chinese national who was in the country on a business visa, now faces charges of theft, identity fraud and telecommunications fraud. He told law enforcement officers that he was just a middleman, and “felt that he was doing this revolving criminal activity”.

This isn’t an isolated case. Last month, officers in Kentucky arrested a Canadian citizen, Jia Hua Liu. Liu, who was in the US, had targeted multiple elderly victims with scams and then turned up at their homes to collect money. He had collected over $300,000 in total.

Last year, 21 year-old Tejaskumar Patel was arrested after collecting gold bars from a Florida resident. The victim, a retired marine, had been told he needed to pay to free himself from arrest warrants (which were fake). Officers only caught Patel after coming back for more gold, because the victim had called the police.

There are plenty of cases like these. Scamming this way is a reliable last resort for thieves because it will often be easier to collect cash personally from non-tech-savvy people rather than getting them to successfully make a bitcoin transaction.

However, the scammers also place themselves in great personal danger if a victim gets suspicious. Especially if they’re greedy enough to push their luck and come back for more.

Protecting yourself is simple:

*   Be on the lookout for telltale signs that a text is a scam. These include slight language errors and a sense of urgency.
*   Don’t respond directly to any text messages telling you about scams or making legal threats.
*   If the texts have you worried, verify them independently by calling the organization they’re supposed to be from. Use a number obtained independently to ensure you’re calling the right place, and don’t use the number in the text. If the organization can’t verify a text, it’s a scam.
*   Never send money to a stranger or give them money in person. No legitimate organization should ever ask for cash at the door, unless they’re wearing Girl Scout vests and come bearing cookies. If you’re spending $27,000 on Girl Scout cookies, you have bigger problems.
*   If you’re truly stumped about a text message and want some immediate, AI-assisted help, 24/7, try Malwarebytes Scam Guard for free.

Unfortunately, many elderly victims are more vulnerable to scams, as data shows, and may not heed such advice. That’s why it’s important to check in regularly with elderly friends or family to ensure that they aren’t involved in any such transactions.

Liu failed to scam $70,000 from some potential victims because their family members had found out what was going on and intervened. When scams targeting the elderly are so common, it’s important that someone has their back.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 Apple ID scam leads to $27,000 in-person theft of Ohio man 

Scammers are using texts that appear to have been sent to a wrong number to get targets to engage in a conversation.

_A special thanks to all the people at Malwarebytes and ThreatDown for sharing the text messages they received from scammers._

Many of us have received texts like these. Often super short, some flirty, some with a business tone, or sometimes just a simple ‘hello.’

You don’t know the sender, and they look like an honest mistake. But they’re not. All the messages are carefully crafted to seem plausible—so you don’t immediately feel suspicious—and short—to trigger your curiosity.

The intention of these messages are to get you to be confused enough that you will reply, perhaps by saying they have the wrong number.

Here are some of the messages our team has received recently:

**1\. The one-word text**

**2\. The “who are you again?” text**

**3\. The “tempting” text**

Sometimes these involve inviting you for fun activities on the weekend, like a BBQ or some beach time. Sometimes, it’s just a dinner suggestion:  

**4\. The business text**  

**5\. The “OMG i just woke up” text**  

These are just some examples, but we’ve seen so many more.

As soon as you reply, the scammer will initiate a friendly conversation. Their end goal will be to gain your trust and develop the relationship into a costly romance or investment scam.

From their end at least, some of my co-workers told them to go phish elsewhere.

However funny, we don’t recommend engaging with scammers in this or any other way. Here’s why:

**Why you should never respond**

*   Responding confirms your number is active.
*   It flags you as someone who reads texts and might engage.
*   The scammer may sell or share your number.
*   Some groups build long-term “mark profiles” for future scams. Even though you think you’re only providing them with little to none information, scammers often track who replies, how they reply, and how easily they engage. That data becomes part of a “mark profile”, a digital dossier on you that might include your phone number, the time of response (which suggests your schedule or time zone), and any other information you share.

**What you should do instead of replying**

*   Don’t reply, not even to be helpful. Don’t engage in conversation, even if they seem friendly.
*   Never click on links.
*   Block the number.
*   Report the message to your carrier (In the US, most carriers support forwarding spam texts to 7726).
*   Share examples (anonymized) to help others. One way to do this is to use Malwarebytes Scam Guard, which also helps you assess if a message is a scam or not.

**We don’t just report on scans—we help detect them**

Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!

 That seemingly innocent text is probably a scam 

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'passwd' HTTP POST parameter in /ajax/php/login.php script.

Title: Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauth Code Invasion  
Advisory ID: ZSL-2025-5956  
Type: Local/Remote  
Impact: System Access, DoS  
Risk: (5/5)  
Release Date: 31.07.2025

**Summary**

EVE is a smart home and building automation solution designed for both residential and commercial environments, including malls, hotels, restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive control and monitoring of electrical installations through a highly customizable, user-friendly interface.

EVE is a multi-protocol platform that integrates various systems within a smart building to enhance comfort, security, safety, and energy efficiency. Users can manage building functions via iPhone, iPad, Android devices, Windows PCs, or Mac computers.

The EVE X1 Server is the dedicated hardware solution for advanced building automation needs. Compact and powerful, it is ideal for apartments, small to medium-sized homes, and smaller commercial installations. It is designed to manage entire automation systems reliably and efficiently.

**Description**

The EVE X1 server suffers from an unauthenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the 'passwd' HTTP POST parameter in /ajax/php/login.php script.

**Vendor**

Ilevia Srl. - https://www.ilevia.com

**Affected Version**

<=4.7.18.0.eden (Logic ver: 6.00)

**Tested On**

GNU/Linux 5.4.35 (armv7l)  
GNU/Linux 4.19.97 (armv7l)  
Armbian 20.02.1 Buster  
Apache/2.4.38 (Debian)  
PHP Version 7.3.14

**Vendor Status**

\[01.05.2024\] Vulnerability discovered.  
\[06.05.2024\] Vendor contacted.  
\[06.05.2024\] Vendor responds asking more details.  
\[06.05.2024\] Sent high-level details to the vendor, asked for PGP key.  
\[06.05.2024\] Vendor provides public key and asks for a reason of the contact.  
\[06.05.2024\] Replied to the vendor.  
\[07.05.2024\] Vendor expresses gratitude, maybe discuss a service in the future.  
\[16.05.2025\] Asked vendor for status update.  
\[18.05.2025\] No response from the vendor.  
\[19.05.2025\] Asked vendor for status update.  
\[30.07.2025\] No response from the vendor.  
\[31.07.2025\] Public security advisory released.

**PoC**

eve.py

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

\[1\] https://packetstorm.news/files/id/207717/

**Changelog**

\[31.07.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

Ilevia EVE X1 Server 4.7.18.0.eden Neuro-Core Unauth Code Invasion

The controller suffers from an unauthenticated file disclosure vulnerability. Using the 'db_log' POST parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

Title: Ilevia EVE X1 Server 4.7.18.0.eden (db\_log) Pre-Auth File Disclosure  
Advisory ID: ZSL-2025-5955  
Type: Local/Remote  
Impact: Exposure of System Information, Exposure of Sensitive Information  
Risk: (5/5)  
Release Date: 31.07.2025

**Summary**

EVE is a smart home and building automation solution designed for both residential and commercial environments, including malls, hotels, restaurants, bars, gyms, spas, boardrooms, and offices. It enables comprehensive control and monitoring of electrical installations through a highly customizable, user-friendly interface.

EVE is a multi-protocol platform that integrates various systems within a smart building to enhance comfort, security, safety, and energy efficiency. Users can manage building functions via iPhone, iPad, Android devices, Windows PCs, or Mac computers.

The EVE X1 Server is the dedicated hardware solution for advanced building automation needs. Compact and powerful, it is ideal for apartments, small to medium-sized homes, and smaller commercial installations. It is designed to manage entire automation systems reliably and efficiently.

**Description**

The controller suffers from an unauthenticated file disclosure vulnerability. Using the 'db\_log' POST parameter, attackers can disclose arbitrary files on the affected device and disclose sensitive and system information.

**Vendor**

Ilevia Srl. - https://www.ilevia.com

**Affected Version**

<=4.7.18.0.eden (Logic ver: 6.00)

**Tested On**

GNU/Linux 5.4.35 (armv7l)  
GNU/Linux 4.19.97 (armv7l)  
Armbian 20.02.1 Buster  
Apache/2.4.38 (Debian)  
PHP Version 7.3.14

**Vendor Status**

\[01.05.2024\] Vulnerability discovered.  
\[06.05.2024\] Vendor contacted.  
\[06.05.2024\] Vendor responds asking more details.  
\[06.05.2024\] Sent high-level details to the vendor, asked for PGP key.  
\[06.05.2024\] Vendor provides public key and asks for a reason of the contact.  
\[06.05.2024\] Replied to the vendor.  
\[07.05.2024\] Vendor expresses gratitude, maybe discuss a service in the future.  
\[16.05.2025\] Asked vendor for status update.  
\[18.05.2025\] No response from the vendor.  
\[19.05.2025\] Asked vendor for status update.  
\[30.07.2025\] No response from the vendor.  
\[31.07.2025\] Public security advisory released.

**PoC**

ilevia\_path2.txt

**Credits**

Vulnerability discovered by Gjoko Krstic - <\[email protected\]\>

**References**

\[1\] https://packetstorm.news/files/id/207716/

**Changelog**

\[31.07.2025\] - Initial release

**Contact**

Zero Science Lab

Web: https://www.zeroscience.mk  
e-mail: \[email protected\]

Ilevia EVE X1 Server 4.7.18.0.eden (db_log) Pre-Auth File Disclosure

VPN use is skyrocketing across the UK as the region's Online Safety Act places age verification controls on adult websites.

As the UK’s Online Safety Act came into effect on Friday—along with its age verification controls—the use of virtual private network (VPN) services has skyrocketed by up to 20-fold across the region.

Top10VPN, which monitors VPN traffic around the world, spotted UK VPN traffic spiking 1,327% on July 25, compared to the daily average over the prior four weeks. The traffic didn’t slow down on the days following, either, increasing 1,.712% above the pre-July 25 baseline on July 26, and by almost 2,000% on July 27.

The Online Safety Act forces a variety of websites to verify a user’s age, ensuring they are 18 years old or over. This doesn’t just apply to the obvious porn sites, but to a broad array of other categories: social media, gaming, and even search. The content considered harmful under the bill isn’t just sexual either, but covers areas including suicide, self-harm, and content related to eating disorders. Sites that don’t comply risk fines or even bans in the UK.

The more stringent law means that simply checking a box saying you’re over 18 won’t cut it. Instead, the UK’s communications regulator OFCOM suggests several ways for sites to verify a person’s age:

*   Using open banking information (where a person submits information from their bank that proves their age)
*   Photo ID matching using facial recognition
*   Proving your age to your mobile operator who then approves you on the site’s behalf
*   Checking your credit card (only adult UK residents can get one)
*   Analyzing your email to see if it’s likely to have been used in an adult situation (a mortgage application, say)
*   Using digital identity services such as a digital ID wallet (the EU is working on one of these)
*   Estimating a person’s age from a selfie.

OFCOM argues that all methods must be implemented in line with UK privacy law, but it’s understandable that adult users might consider this a privacy risk. It’s also likely that some minors will want to flout the rules and access content that the government doesn’t want them to, especially given the wide scope of the law. Both these reasons are likely why VPN activity has soared since the law kicked in.

When you browse the internet directly, your computer uses an IP address that your internet service provider gives you. The site you’re browsing can use that to determine what country you’re in. A VPN is a program that connects your internet browsing device to the VPN company’s computer. That computer then serves as your jumping-off point to the internet.

Because VPN providers have networks of these computers around the world, you can pretend to be in another country of your choosing when using a VPN, meaning people often use them to bypass censorship laws. As more countries have been restricting access to adult content, they have also become a tool for internet users to dodge age protection laws.

UK Science Secretary Peter Kyle downplayed the use of VPNs in a Guardian interview yesterday, arguing that “very few children” were seeking harmful content online. Yet according to OFCOM, 8% of children between eight and 14 in the UK access online porn every month. That figure increases to almost one in five boys in that age bracket.

Kyle insisted that the government had solved up to 90% of the problem. “That 10% that’s remaining, or whatever that percentage is? We’ll go figuring it out as we move forward,” he said.

Per Wired, the Proton VPN service tweeted that its UK signups surged over 1,400%. “Unlike previous surges, this one is sustained, and is significantly higher than when France lost access to adult content,” it added.

VPN service Windscribe also tweeted a graph showing what appeared to be a massive spike in daily sign-ups on July 25.

And AdGuard also reported a spike in traffic, “Website traffic from UK users has surged by more than 60%, with visits from Android devices more than doubling and iOS traffic up by nearly 100%,” it said. “VPN installs in the UK have also grown by 2.5 times, and we’re seeing a clear increase in traffic from keyword searches—a significant share of which is related to adult content.”

Kyle told the Guardian that he was not going to ban VPNs, but that he would be looking “very closely” at how they are being used.

Tag

#android