Do you need a new phone?
Getty
Republished on September 6 with a new deadline for update for government staff after Google confirmation that attacks on Android phones are underway.
Google issued a critical warning For all Android users, confirming that two separate vulnerabilities have been exploited in the wild. This is the severity of its safety update this month, that Google Quickly correct all eligible pixel devices.
The two high severity vulnerabilities that have been exploited-CVE-2025-38352 and CVE-2025-48543-respectively affect the Android nucleus and the Android runtime respectively. As always, Google has made no material details at this early stage.
There are also four other critical fixes: CVE-2025-48539, CVE-2025-21450, CVE-2025-21483 and CVE-2025-27034. The first is an Android system problem, while the other three relate to Qualcomm Chipsets and release of the manufacturer’s fixes.
Google says that CVE-2025-48543 and CVE-2025-38352 are deeply worrying, and both “could lead to a local climbing of privileges without the necessary additional execution privileges”. More alarming, “user interaction is not necessary for exploitation.”
While the pixels will be updated immediately, other OEMs will receive code corrections “within the next 48 hours” and will have to update their own monthly bulletins and versions of the firmware. You can expect the usual deployment schedule in the coming weeks.
A timely reminder that only devices are always eligible for monthly security updates will receive these fixes. More than a billion Android phones are no longer on a form of support contract, and many run android versions that cannot be updated.
Android Eligibility update
Endoflife
This is exactly why the owners of these older devices are invited to upgrade their phones if they cannot update their software. Until you do it, your data and your device are at risk.
As Zimperium warns, “a significant percentage (25.3%) of the devices cannot be modernized due to the age of the device”. And delayed updates worsen this problem. “At one point of the year, more than 50% of mobile devices perform OSO versions, and a large number are compromised or infected.”
The US cyber -defense agency has added both Android security threats to its known vulnerability (Kev) Catalog on September 4. Federal staff have until September 25 to update or stop using their Android devices. Obviously, in the unlikely case, all devices that cannot be updated are always used by the staff of the Federal Agency, they must be upgraded to new equipment on the deadline.
The CVE-2025-38352 is a vulnerability of the race conditions at the time of the time of time which has a high impact on confidentiality, integrity and availability “, explains Cisa. While the CVE-2025-48543 is an” Android vulnerability Runtime-use without “, which” potentially allows an escape from chrome sand The escalation of local privileges ”.
Although the CISA update mandate is only for federal staff, its advice is much wider. The agency and its KEV catalog operate “for the benefit of the cybersecurity community and network defenders” in the public and private sector.
