Android security crisis: Cybercriminals and law enforcement agencies are currently exploiting two severe vulnerabilities. Google's latest security bulletin reveals that Serbian police used a flaw to deploy spyware on activists' devices. Let's explore how these exploits work and what users need to know.
Major security flaws found in MarchAndroid updates revealed
The security bulletin released by Google in March 2025 revealed 43 vulnerabilities present in the Android operating system’s coding. Among these findings, security experts from the company pinpointed 11 high-severity defects along with 10 critical ones. As per their routine procedure, this regular monthly security release categorises each vulnerability into one of three severity tiers: moderate, high, and critical.
The most worrying aspect involves two particular vulnerabilities that Google acknowledges as "currently being exploited in limited, targeted attacks." These issues aren’t part of widespread cyber assaults; instead, they’re employed in focused operations aimed at distinct targets. This selective method indicates advanced threat actors with well-defined goals, rather than casual attackers looking for easy prey.
Security specialists observe that these focused attack strategies typically point towards state-sponsored entities or sophisticated criminal organizations possessing substantial assets. The involvement of governmental bodies utilizing one of these weaknesses adds weight to this evaluation.
A data theft vulnerability necessitates user participation.
The U.S. Cybersecurity andInfrastructure Security Agency (CISA) first identified an actively exploited vulnerability back in November 2024. This weakness allows attackers to boost their privilege levels without needing extra permissions, which could result in significant security breaches.
If exploited, this weakness enables malevolent entities to pilfer confidential information or jeopardise the whole system through the insertion of harmful software. For such an assault to be successful, it necessitates certain actions from the user, implying that targets must unwittingly perform tasks that activate the exploit. Cybercriminals would fail to infiltrate affected gadgets unless individuals succumb to related psychological manipulation tactics.
Devices operating on Android versions 11 to 14 are specifically at risk due to this vulnerability. Experts in cybersecurity advise users to exercise particular care when downloading apps from unverified sources or interacting with dubious hyperlinks, until such time as their gadgets have been updated with the most recent security fixes.
Serbian law enforcement using a flaw in the Linux kernel for surveillance purposes
The second significant weakness impacts the Linux kernel’s Human Interface Device (HID) component, responsible for handling user interactions within the system. If exploited, this issue enables attackers to access crucial sections of kernel memory, thereby posing risks to both the system's operation and safety.
This weakness necessitates that attackers must first possess local presence and restricted permissions on the affected machine. In an exploit sequence, it allows for the installation of spyware onto individuals’ mobile phones. The disturbing aspect of this flaw is its confirmed usage by Serbian law enforcement agencies for monitoring activities.
It has been reported that Serbian authorities took advantage of this weakness to keep an eye on journalists and activists. During visits to police stations or during interrogations, law enforcement officials installed a spyware known as NoviSpy onto the devices of their targets. The fact that the state used such methods underscores significant worries regarding online privacy and demonstrates how governmental organizations might exploit security flaws for their own purposes.
Security patches deployment timeline
In response to these threats, Google has issued two security updates this month. On top of the regular monthly patches, extra updates have been rolled out to tackle flaws within third-party components as well as the Android kernel. This strategy offers more adaptability for Android phone makers when applying the necessary corrections.
The security patch code has been incorporated into the Android Open Source Project (AOSP). This enables device makers to include these updates within their modified versions of the software. Nonetheless, the pace at which these essential corrections make it to consumers ultimately relies on how swiftly the manufacturers release them for their gadgets.
Individuals worried about these security flaws ought to verify whether a patch exists for their mobile phones by going to Settings, followed by About Device, and finally Software Update. Should an update be available, they are advised to install it at once to safeguard their gadgets against the currently exploited weaknesses.
Security specialists highly advise turning on automatic updates and frequently verifying any outstanding security patches, particularly considering the critical nature of these vulnerabilities and their current exploitation by cybercriminals as well as police authorities.