Android drops mega patch bomb - 120 fixes, two already exploited
(2025/09/03)
- Reference: 1756936311
- News link: https://www.theregister.co.uk/2025/09/03/android_patch_september/
- Source link:
Patch Tuesday is next week, but Android is ahead of the game, dropping its biggest patch bundle this year while attackers actively exploit two of the now-fixed flaws.
This month, the world's most popular mobile operating system [1]pushed out 120 patches, its biggest monthly dump this year. It's a far cry from July, when Android [2]didn't issue a single patch as everything was apparently fine, but in September, two of the flaws may be under "limited, targeted exploitation."
The two biggest concerns are [3]CVE-2025-38352 , a high-severity problem with the Linux kernel at the heart of the operating system, and [4]CVE-2025-48543 , a high-severity issue with Android's runtime environment hosting apps. An attacker can escalate local privileges with both flaws, without even requiring user interaction.
[5]
Google declined to name who is exploiting the flaws or how, but the language suggests that a surveillanceware company is using them to break in. We asked noted flaw-finders Citizen Lab at the University of Toronto, but they say that they haven't detected anyone using the vulns. However, the Hong Kong computer emergency response team issued an alert and echoed Google's warning, noting there are signs of limited, targeted exploitation.
[6]
[7]
"CVE-2025-38352 and CVE-2025-48543 are being scattered [sic] exploited," it [8]warned .
[9]Microsoft's Patch Tuesday baker's dozen: 12 critical bugs plus a SharePoint RCE
[10]Microsoft enjoys first Patch Tuesday of 2025 with no active exploits
[11]Apple fixes zero-click exploit underpinning Paragon spyware attacks
[12]Qualcomm pledges 8 years of security updates for Android kit using its chips (YMMV)
September's update also includes three critical vulnerabilities in Qualcomm's closed-source components. [13]CVE-2025-21450 is a CVSS 9.1-rated vulnerability in its GPS control system, CVE-2025-21483 covers issues with network data stacks, and CVE-2025-27034 involves an issue with Qualcomm's multi-mode call processor.
Qualcomm has, possibly under pressure from Google, been upping its flaw-fixing game. In February, it [14]doubled the length of time it would support its components from four to up to eight years. Google, by contrast, guarantees seven years of OS and security updates for its own Pixel 8 line and later.
Imagination Technologies is also getting 10 fixes, all in its PowerVR GPU and all high severity.
[15]
Most of the remaining Android flaws are rated high severity, though there's also a critical remote code execution hole in the System component (CVE-2025-48539), so the update should be installed as soon as possible. But therein lies the problem. While owners of Google's Pixel handset line will get prompt patching, that's only a fraction of the vulnerable handsets, with the Chocolate factory only having around a four percent market share in the US.
The two biggest Android players in the US are Samsung and Motorola, and they will roll these fixes out when they are good and ready. We've asked both mobile makers when people will get a fix for these active vulnerabilities and will update you if we hear back. ®
Get our [16]Tech Resources
[1] https://source.android.com/docs/security/bulletin/2025-09-01
[2] https://source.android.com/docs/security/bulletin/2025-07-01
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-38352
[4] https://www.cve.org/CVERecord?id=CVE-2025-48543
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.hkcert.org/security-bulletin/android-multiple-vulnerabilities_20250903
[9] https://www.theregister.com/2025/08/12/august_patch_tuesday/
[10] https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
[11] https://www.theregister.com/2025/06/13/apple_fixes_zeroclick_exploit_underpinning/
[12] https://www.theregister.com/2025/02/26/qualcomm_android_support/
[13] https://nvd.nist.gov/vuln/detail/CVE-2025-21450
[14] https://www.theregister.com/2025/02/26/qualcomm_android_support/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/
This month, the world's most popular mobile operating system [1]pushed out 120 patches, its biggest monthly dump this year. It's a far cry from July, when Android [2]didn't issue a single patch as everything was apparently fine, but in September, two of the flaws may be under "limited, targeted exploitation."
The two biggest concerns are [3]CVE-2025-38352 , a high-severity problem with the Linux kernel at the heart of the operating system, and [4]CVE-2025-48543 , a high-severity issue with Android's runtime environment hosting apps. An attacker can escalate local privileges with both flaws, without even requiring user interaction.
[5]
Google declined to name who is exploiting the flaws or how, but the language suggests that a surveillanceware company is using them to break in. We asked noted flaw-finders Citizen Lab at the University of Toronto, but they say that they haven't detected anyone using the vulns. However, the Hong Kong computer emergency response team issued an alert and echoed Google's warning, noting there are signs of limited, targeted exploitation.
[6]
[7]
"CVE-2025-38352 and CVE-2025-48543 are being scattered [sic] exploited," it [8]warned .
[9]Microsoft's Patch Tuesday baker's dozen: 12 critical bugs plus a SharePoint RCE
[10]Microsoft enjoys first Patch Tuesday of 2025 with no active exploits
[11]Apple fixes zero-click exploit underpinning Paragon spyware attacks
[12]Qualcomm pledges 8 years of security updates for Android kit using its chips (YMMV)
September's update also includes three critical vulnerabilities in Qualcomm's closed-source components. [13]CVE-2025-21450 is a CVSS 9.1-rated vulnerability in its GPS control system, CVE-2025-21483 covers issues with network data stacks, and CVE-2025-27034 involves an issue with Qualcomm's multi-mode call processor.
Qualcomm has, possibly under pressure from Google, been upping its flaw-fixing game. In February, it [14]doubled the length of time it would support its components from four to up to eight years. Google, by contrast, guarantees seven years of OS and security updates for its own Pixel 8 line and later.
Imagination Technologies is also getting 10 fixes, all in its PowerVR GPU and all high severity.
[15]
Most of the remaining Android flaws are rated high severity, though there's also a critical remote code execution hole in the System component (CVE-2025-48539), so the update should be installed as soon as possible. But therein lies the problem. While owners of Google's Pixel handset line will get prompt patching, that's only a fraction of the vulnerable handsets, with the Chocolate factory only having around a four percent market share in the US.
The two biggest Android players in the US are Samsung and Motorola, and they will roll these fixes out when they are good and ready. We've asked both mobile makers when people will get a fix for these active vulnerabilities and will update you if we hear back. ®
Get our [16]Tech Resources
[1] https://source.android.com/docs/security/bulletin/2025-09-01
[2] https://source.android.com/docs/security/bulletin/2025-07-01
[3] https://nvd.nist.gov/vuln/detail/CVE-2025-38352
[4] https://www.cve.org/CVERecord?id=CVE-2025-48543
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://www.hkcert.org/security-bulletin/android-multiple-vulnerabilities_20250903
[9] https://www.theregister.com/2025/08/12/august_patch_tuesday/
[10] https://www.theregister.com/2025/07/08/microsoft_patch_tuesday/
[11] https://www.theregister.com/2025/06/13/apple_fixes_zeroclick_exploit_underpinning/
[12] https://www.theregister.com/2025/02/26/qualcomm_android_support/
[13] https://nvd.nist.gov/vuln/detail/CVE-2025-21450
[14] https://www.theregister.com/2025/02/26/qualcomm_android_support/
[15] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/patches&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aLi6c0u3TLTJ2bCdtmFiEAAAAFE&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[16] https://whitepapers.theregister.com/