Android's Recent Security Patch Addresses 120 Vulnerabilities, Two of Which Are Reported to Be Currently Exploited
Google has issued an urgent September security patch bundle containing 120 fixes for high-severity vulnerabilities, addressing issues across various components of the Android ecosystem. The update aims to protect users during the wait for manufacturers to deliver patches.
One of the most significant vulnerabilities addressed is a Remote Code Execution (RCE) vulnerability, CVE-2025-48539, found in Android's core system. This RCE vulnerability could potentially allow attackers to compromise a device without physical access. Two other vulnerabilities, CVE-2025-38352 in the Linux kernel and CVE-2025-48543 in Android's runtime environment, are already being exploited by threat actors.
The update also addresses three critical flaws in Qualcomm components. These issues affect GPS systems, mobile data stacks, and call processors, with one of the Qualcomm issues having a severity score of 9.1 out of 10. The update also patches 10 high-severity issues in Imagination Technologies' GPU drivers, which provide the PowerVR graphics chips found in many Android devices.
However, the Android ecosystem's fragmentation slows patch distribution, leaving millions of devices exposed. Manufacturers such as Samsung and Motorola have not yet indicated when users can expect these patches. The manufacturers that have not yet provided information on when their users will receive the patches included in the September security update are not specified in the available search results.
Google's Pixel phones receive updates immediately, while other manufacturers take longer to roll out updates. This delay can leave users vulnerable to attacks. To provide additional protection, specialized security tools like Bitdefender Mobile Security for Android can block malware, phishing attempts, and suspicious apps in real time.
Recent reports suggest small-scale, targeted activity exploiting these vulnerabilities, with Hong Kong's cybersecurity response team strengthening Google's warnings. The identity of the attackers exploiting these vulnerabilities has not been identified, but researchers suspect spyware vendors are involved.
It's worth noting that Google currently holds only about four percent of the US smartphone market, with the majority of users relying on updates from other manufacturers. Qualcomm has recently extended its device support period to as long as eight years, providing some reassurance for users of devices from manufacturers who are slower to roll out updates.
In conclusion, while the September security patch bundle is a significant step towards protecting Android users, the fragmented nature of the Android ecosystem means that millions of devices remain vulnerable. Users are encouraged to stay vigilant and consider using additional security measures to protect their devices.
