Android 0-Day Vulnerability Exploited in Attacks to Gain Complete Device Control

A critical Android zero-day vulnerability is being actively exploited in targeted attacks, allowing threat actors to gain near-complete control over affected devices without any user interaction.

The flaw, tracked as CVE-2025-48595, was highlighted in the June 2026 Android Security Bulletin, where Google confirmed limited real-world exploitation.

The vulnerability resides in the Android Framework component and is a high-severity elevation-of-privilege (EoP) issue.

Under certain conditions, attackers can exploit the flaw remotely to escalate privileges without requiring additional execution permissions.

This significantly increases the risk profile, as successful exploitation could enable attackers to bypass core security boundaries and access sensitive system resources.

Security researchers note that the vulnerability impacts devices running Android versions 14, 15, 16, and 16 QPR2. While categorized as high severity, its exploitation characteristics, particularly the lack of user interaction, make it especially dangerous in targeted campaigns.

Android 0-Day Vulnerability Exploited

In real-world scenarios, such vulnerabilities are often chained with other exploits to achieve full device compromise, including data exfiltration, surveillance, and persistent access.

Google stated that the most severe issues in this bulletin could lead to remote escalation of privilege with no user involvement, emphasizing the potential impact if platform-level mitigations are bypassed.

Although Android incorporates multiple layers of defense, including sandboxing, permission controls, and runtime protections, sophisticated attackers may still exploit such flaws under specific conditions, especially on unpatched or outdated devices.

The company also confirmed that Android partners were notified of the vulnerability at least a month before public disclosure, allowing OEMs time to prepare and distribute patches.

The security updates included in patch level 2026-06-05 fully address CVE-2025-48595 and related vulnerabilities. Source code patches are expected to be released to the Android Open Source Project (AOSP) repository shortly after the bulletin is published.

Google Play Protect continues to play a critical role in mitigating exploitation attempts. Enabled by default on devices with Google Mobile Services, it actively scans apps and warns users about potentially harmful applications.

However, users who sideload apps from third-party sources remain at higher risk, as these channels are often abused to deliver exploit payloads.

The Android Security Team has urged users and organizations to update devices immediately to the latest available security patch level.

Delayed patch adoption remains one of the primary factors enabling threat actors to weaponize known vulnerabilities. This zero-day case underscores a broader trend in mobile threat landscapes, where attackers increasingly target core operating system components to maximize impact.

As exploitation techniques evolve, timely patching and layered security defenses remain essential to reducing exposure and preventing device compromise.

Free Webinar on OWASP API Top 10 and Guide to Close Visibility Gaps With WAAP