Executive Summary

The December 2025 Android security update, released by Google, addresses a total of 107 vulnerabilities, among which two critical zero-day flaws—CVE-2025-48633 and CVE-2025-48572—stand out due to their confirmed exploitation in the wild. These vulnerabilities impact the Android Framework on versions 13, 14, 15, and 16, and have been leveraged in highly targeted surveillance and espionage campaigns. The exploitation of these flaws is consistent with the tactics of advanced persistent threat (APT) groups and commercial spyware vendors, who have historically targeted high-profile individuals such as journalists, activists, and political figures. The technical sophistication of these attacks, which combine information disclosure and privilege escalation, underscores the urgent need for immediate patching and heightened vigilance across all organizations and individuals relying on affected Android devices.

Technical Information

The December 2025 security bulletin from Google details two actively exploited zero-day vulnerabilities within the Android Framework. The first, CVE-2025-48633, is an information disclosure vulnerability that allows attackers to leak sensitive system memory, potentially bypassing Android’s sandboxing protections. This flaw can be exploited to extract confidential data from the device, such as authentication tokens, cryptographic keys, or other sensitive artifacts that reside in memory. The second, CVE-2025-48572, is an elevation-of-privilege vulnerability. Once an attacker has gained an initial foothold—often through social engineering or malicious applications—this flaw enables them to escalate their privileges, granting them deeper access to the device’s operating system and persistent control.

Both vulnerabilities are present in Android 13, Android 14, Android 15, and Android 16. The exploitation chain typically begins with the attacker delivering a malicious payload via a crafted application, phishing link, or SMS message. CVE-2025-48633 is used to exfiltrate sensitive data or escape the application sandbox, while CVE-2025-48572 is subsequently leveraged to gain system-level privileges. This combination allows attackers to bypass multiple layers of Android’s security architecture, including application isolation, permission controls, and runtime protections.

The technical impact of these vulnerabilities is significant. Information disclosure at the framework level can undermine the confidentiality of user data and system secrets, while privilege escalation can facilitate the installation of persistent spyware, rootkits, or other forms of advanced malware. The exploitation of these flaws is further complicated by the lack of public indicators of compromise (IOCs), making detection and response challenging for defenders.

The vulnerabilities have been addressed in the December 2025 security patch, which includes updates to both the Android Framework and underlying system components. Device manufacturers such as Samsung, Qualcomm, and MediaTek have also released corresponding advisories and patches for their respective hardware and software stacks. Organizations are strongly advised to ensure that all Android devices are updated to the latest security patch level and to monitor for any signs of compromise or anomalous behavior.

Exploitation in the Wild

The exploitation of CVE-2025-48633 and CVE-2025-48572 has been confirmed in limited, highly targeted attacks. These campaigns are characterized by their focus on high-value individuals and entities, including journalists, human rights activists, political dissidents, and government officials. The attack vectors observed in the wild include spear-phishing emails, malicious SMS messages, and the distribution of trojanized applications through unofficial channels.

Attackers typically initiate the compromise by tricking the target into installing a malicious application or clicking on a crafted link. Once the initial payload is executed, CVE-2025-48633 is exploited to leak sensitive memory contents, which may include credentials, session tokens, or other data that can facilitate further compromise. Following this, CVE-2025-48572 is used to escalate privileges, allowing the attacker to disable security controls, install additional malware, and maintain persistent access to the device.

The sophistication of these attacks is consistent with the operational patterns of commercial spyware vendors and state-sponsored APT groups. The use of zero-day vulnerabilities, combined with advanced evasion techniques and the absence of public IOCs, suggests a high level of technical capability and significant resources. While Google and its partners have not released specific IOCs for these campaigns, defenders should be alert for signs such as the presence of unknown applications with excessive permissions, unusual network traffic to command-and-control (C2) infrastructure, and evidence of privilege escalation or sandbox escapes in system logs.

APT Groups using this vulnerability

Attribution for the exploitation of CVE-2025-48633 and CVE-2025-48572 remains tentative, but the tactics, techniques, and procedures (TTPs) observed are closely aligned with those of well-known commercial spyware vendors and state-sponsored APT groups. Entities such as NSO Group, Candiru, and Intellexa have a documented history of leveraging Android zero-day vulnerabilities in their surveillance products, including Pegasus and Predator spyware. These vendors often sell their tools to government agencies and intelligence services, who use them to conduct targeted surveillance operations.

In addition to commercial actors, several state-sponsored APT groups have been linked to similar campaigns in the past. Notable examples include APT41, a Chinese cyber-espionage group known for targeting mobile devices, and APT-C-23, which has conducted extensive surveillance operations in the Middle East. While no group has been definitively linked to the current exploitation of these specific vulnerabilities, the operational context and victimology are consistent with previous campaigns attributed to these actors.

The exploitation techniques observed map to several MITRE ATT&CK tactics for mobile devices, including T1406 (Data from Local System), T1404 (Exploit Privilege Escalation Vulnerability), T1410 (Application Layer Protocol), and T1476 (Deliver Malicious App via Authorized App Store). These techniques enable attackers to collect sensitive data, escalate privileges, communicate with remote C2 servers, and distribute malicious applications through both official and unofficial channels.

Affected Product Versions

The vulnerabilities CVE-2025-48633 and CVE-2025-48572 affect the following versions of the Android operating system: Android 13, Android 14, Android 15, and Android 16. Devices running these versions are at risk if they have not yet applied the December 2025 security update. The impact is not limited to a specific device manufacturer, as the flaws reside within the core Android Framework. However, the risk may be exacerbated on devices that do not receive timely security updates from their vendors, including certain models from Samsung, Xiaomi, Oppo, Vivo, and other OEMs.

It is important to note that while the vulnerabilities are present in the specified Android versions, the actual exposure may vary depending on the device’s patch level, the presence of additional security controls, and the user’s behavior. Devices that are no longer supported by their manufacturers or that have not received recent security updates are particularly vulnerable.

Workaround and Mitigation

The primary mitigation for CVE-2025-48633 and CVE-2025-48572 is to apply the December 2025 security update as soon as it becomes available for your device. This update addresses the vulnerabilities at both the framework and system levels, closing the attack vectors exploited in the wild. Users and organizations should verify that their devices are running the latest security patch level, which can be checked in the device’s settings under “About phone” or “System updates.”

For devices running Android 10 and later, it is also recommended to ensure that Google Play system updates are enabled and up to date, as these can provide additional security enhancements independent of OEM updates. Organizations should implement mobile device management (MDM) solutions to enforce update policies, monitor device compliance, and detect anomalous behavior indicative of compromise.

In environments where immediate patching is not possible, additional mitigations include restricting the installation of applications from unknown sources, monitoring for applications requesting excessive permissions, and analyzing network traffic for connections to known spyware C2 infrastructure. Users should be educated about the risks of phishing and social engineering attacks, which are common vectors for initial compromise.

If a device is suspected to be compromised, it should be isolated from the network, and a forensic analysis should be conducted to identify signs of exploitation, such as privilege escalation events, unauthorized application installations, or suspicious system log entries. In cases where the device cannot be remediated, a factory reset or device replacement may be necessary.

References

BleepingComputer: Google fixes two Android zero days exploited in attacks, 107 flaws, TechRadar: 107 Android flaws just got patched by Google, SecurityWeek: Android’s December 2025 Updates Patch Two Zero-Days, CyberInsider: Google fixes two actively exploited Android zero-days, Google Android Security Bulletin: source.android.com/security/bulletin, Qualcomm Security Updates: qualcomm.com/company/product-security/bulletins, MediaTek Security Advisories: corp.mediatek.com/security-advisories, Samsung Security Updates: security.samsungmobile.com/securityUpdate.smsb.

Rescana is here for you

At Rescana, we understand the critical importance of timely threat intelligence and proactive risk management in today’s rapidly evolving cyber landscape. Our Third-Party Risk Management (TPRM) platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. By leveraging advanced analytics, automated workflows, and real-time threat intelligence, Rescana helps you stay ahead of emerging threats and ensure the resilience of your business operations. If you have any questions about this advisory or require further assistance, our team of experts is ready to help at ops@rescana.com.