Google has just released the April 2025 security update for Android. With this new security patch, the Mountain View giant fixes a total of 62 vulnerabilities identified in the operating system code. Among the fixed flaws are two zero-day breaches. These are vulnerabilities that may have been exploited by attackers before a patch was deployed.
New Flaw Exploited by Serbian Police
The first flaw is in the Linux kernel's USB audio driver that handles sound from USB-connected devices, such as headsets and sound cards, which use the ALSA (Advanced Linux Sound Architecture) system, the main software component used by Linux to handle sound.
It is part of a exploitation chain of several vulnerabilities developed by Cellebrite, an Israeli company known for its tools for analyzing and extracting digital data, particularly from mobile phones. This exploitation method has been used by Serbian police forces to monitor journalists and activists.
The attack, which resulted in the installation of the NoviSpy spyware virus, also leveraged another Android vulnerability, corrected in the March 2025 patch. The attack devised by Cellebrite also took advantage of a flaw in the Linux kernel's UVC (USB Video Class) driver, used to manage USB-connected video devices, such as webcams. It was corrected by Google in February. With its latest patches, the American group has done everything possible to block abuses based on Cellebrite's tactics. In recent months, Google has repeatedly corrected flaws actively exploited by Serbian authorities. This was already the case in November and October 2024.
Sensitive Data Theft
The second flaw is an out-of-bounds read issue. It occurs when the system reads data outside of the normally permitted memory, due to a bug in the handling of certain USB audio devices. It allows an attacker with local access to an Android device to read sensitive data by taking advantage of a bug in the kernel. The attacker does not need any action from the user to achieve their goals. Again, Google says the flaw may have been exploited by cybercriminals before a patch was deployed.
Google has released two Android security updates: one dated April 1, 2025, and the other April 5, 2025. The April 5 release contains all the April 1 fixes, plus fixes for additional items, such as components created by other companies. Google reminds that "Android partners are informed of all vulnerabilities at least one month before their public disclosure" and that the "corresponding patches will be published in the Android Open Source Project (AOSP) repository within 48 hours".
For all Android smartphones to be protected, manufacturers must now integrate security updates into their overlay. This operation can take time. It all depends on the responsiveness of the brands. Then, users must take the trouble to install the updates on their devices. To find out if the patch is available on your smartphone, go to Settings > About device > Software Update.
Source: Google
0 Comments