Google Patches Two Exploited Zero-Days in Android’s April Security Update

By /

Listen to this Post

Introduction:

In a continued effort to fortify Android’s defenses, Google has rolled out its April 2025 security update, addressing 62 vulnerabilities—two of which were zero-days actively exploited in real-world attacks. These high-stakes exploits were part of sophisticated digital forensics operations and surveillance efforts that have drawn the attention of cybersecurity watchdogs and digital rights organizations alike. This update serves not only as a technical fix but as a stark reminder of the complex geopolitical implications surrounding cybersecurity vulnerabilities.

the

Google’s April 2025 Android security update has patched 62 vulnerabilities, including two significant zero-day exploits:

  1. CVE-2024-53197 – A high-severity privilege escalation vulnerability in the Linux kernel’s USB-audio driver for ALSA Devices. This flaw was exploited by Serbian authorities using a toolchain developed by Israeli digital forensics firm Cellebrite. The exploit was used to unlock confiscated Android devices.

  2. This vulnerability was part of a broader exploit chain which also involved:

– CVE-2024-53104 – A USB Video Class zero-day patched in February 2025.
– CVE-2024-50302 – A Human Interface Devices zero-day patched in March 2025.

  1. The exploit chain was uncovered by Amnesty International’s Security Lab during forensic analysis of unlocked devices used by Serbian police.

  2. Google had already developed patches and shared them with OEM partners in January 2025 via a partner advisory issued on January 18.

  3. The second zero-day, CVE-2024-53150, is an Android Kernel information disclosure vulnerability. It leverages an out-of-bounds read flaw, enabling attackers to access sensitive information without needing user interaction.

  4. The remaining 60 vulnerabilities mostly include high-severity elevation of privilege flaws, which pose a significant threat if left unpatched.

  5. The security update is split into two patch levels:

– 2025-04-01: Basic patch level covering core vulnerabilities.

  • 2025-04-05: A more comprehensive patch level addressing kernel subcomponents and closed-source elements.

  1. Google Pixel devices receive these patches immediately. Other OEMs tend to delay the rollout due to custom hardware adaptation.

  2. Notably, Google previously fixed another zero-day in November 2024 (CVE-2024-43047). This vulnerability, first flagged by Google Project Zero, was used in NoviSpy, a spyware tool leveraged by the Serbian government against journalists, activists, and protesters.

  3. These repeated discoveries paint a larger picture of state-sponsored surveillance using Android vulnerabilities, calling into question digital privacy and the balance of power in law enforcement technologies.

What Undercode Say:

The April 2025 Android patch cycle underscores a troubling and increasingly visible convergence of cybersecurity, politics, and human rights. Let’s break it down further:

1. Exploitation of Zero-Days by State Actors:

The Serbian government’s use of Cellebrite tools illustrates how vulnerabilities aren’t just exploited by criminals but are often wielded by law enforcement—raising questions about due process and oversight.

2. The Role of Cellebrite:

Cellebrite’s involvement is not new. Their digital forensics tools have been marketed globally, often to regimes with questionable human rights records. Their technologies turning into tools for surveillance of activists is a critical concern.

3. Amnesty International’s Intervention:

It’s notable that a human rights organization had to uncover these exploit chains, emphasizing the gap between technical fixes and ethical accountability.

4. Google’s Timely Response:

Google had already shared patches before the public disclosure, showing a proactive internal process. However, the delay in end-user delivery due to OEM customization remains a persistent security risk.

5. The Chain Exploitation Model:

These zero-days weren’t used in isolation. A chained attack strategy highlights the sophistication behind such espionage attempts. This approach bypasses traditional endpoint protections by exploiting hardware-level vulnerabilities.

6. Android’s Security Fragmentation Problem:

While Pixel devices benefit from immediate patching, other users remain vulnerable for weeks or even months. Android’s open ecosystem is both its strength and its Achilles’ heel.

7. Implications for Privacy and Freedom of Speech:

Targeting journalists and activists through spyware like NoviSpy shows how digital insecurity directly affects civil liberties.

8. OEMs and Patch Delivery Lag:

It’s high time OEMs are held to stricter patch update schedules. Delays create windows of opportunity for exploitation, especially when known vulnerabilities are already circulating.

9. Transparency and Accountability:

Google’s public disclosure and cooperation with researchers should become industry standard. Security research shouldn’t rely solely on humanitarian organizations to uncover abuse.

10. MITRE ATT&CK Techniques:

Understanding the top tactics and techniques from ATT&CK mappings can help defenders stay ahead. The continued use of privilege escalation and information disclosure shows where detection needs to improve.

11. Public Awareness:

Articles like this are essential in making the public aware that device vulnerabilities can have real-world implications—from leaked personal data to unlawful surveillance.

12. Corporate Responsibility:

Companies that develop such exploit chains or enable forensic unlocking tech must be held accountable for their clients’ use of these tools.

13. Zero-Day Market Ethics:

The quiet, legal gray area where zero-days are bought and sold to governments needs more scrutiny. Current disclosure and usage policies are too opaque.

14. Whistleblower Protection:

Those inside organizations like Cellebrite or involved with state use of spyware need legal protections to expose unethical use of tech.

15. Tool Democratization Risks:

Once advanced forensic tools are widely distributed, it’s only a matter of time before they are reverse-engineered or leaked—leading to wider misuse beyond state-level actors.

Fact Checker Results:

  • Amnesty International’s Security Lab has verified the exploit chain findings via forensic log analysis.
  • Google confirmed patch deployment and prior OEM notification in January 2025.
  • CVE assignments and severity ratings align with official MITRE and NIST vulnerability databases.

References:

Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.quora.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: