Introduction
In April 2025 [3], Google released a security update addressing 62 vulnerabilities in Android devices, including two critical issues, CVE-2024-53150 and CVE-2024-53197 [1] [2] [3] [4] [5] [6] [7], which are actively exploited [7]. Users are strongly advised to update their devices immediately to mitigate these risks.
Description
Google’s April 2025 security update addresses a total of 62 vulnerabilities, including two critical issues actively exploited in Android devices: CVE-2024-53150 and CVE-2024-53197. These vulnerabilities are included in the security patch levels of 2025-04-01 and 2025-04-05 or later [2], and users are strongly advised to update their devices immediately [2]. Both vulnerabilities primarily affect devices running Android versions 12 through 15 [3], particularly those that have not received timely security updates [3].
CVE-2024-53150 is a significant out-of-bounds read vulnerability in the USB subsystem of the Linux kernel [5], resulting from a failure to validate the bLength parameter during clock descriptor processing [3]. This information disclosure flaw (CWE-125) allows local attackers to potentially extract sensitive kernel memory without user interaction, and it has a CVSS v3.1 base score of 7.1. In contrast, CVE-2024-53197 is a more severe elevation of privilege issue that occurs when a malicious USB device presents an invalid bNumConfigurations value, leading to potential out-of-bounds memory access in the usbdestroyconfiguration function [3]. This vulnerability has a CVSS score of 7.8 and could result in system crashes or unauthorized access if exploited, including Denial of Service attacks or the execution of malicious code.
Both vulnerabilities were initially patched in the Linux kernel in December 2024 [6], but they have been reported to be under active, limited exploitation [2] [3] [4] [7]. Notably, CVE-2024-53197 was used in late 2024 to compromise the Android phone of a Serbian youth activist [7], in conjunction with two other flaws [7]. The Android Security Team warns that these vulnerabilities pose significant risks if unpatched [2], as attackers can bypass platform mitigations to gain elevated privileges remotely [2], potentially leading to data theft [2], malware installation [2], or unauthorized access to sensitive systems [2]. Security researchers from GrapheneOS have indicated that standard device locks [3], such as passwords and biometric methods [3], may not adequately protect against these vulnerabilities [3]. Furthermore, CVE-2024-53197 has been linked to exploits used by digital intelligence companies like Cellebrite [3], particularly in the context of extracting data from locked devices [3], suggesting connections to sophisticated surveillance tools employed in targeted operations [3]. Adam Boynton [6], a senior security strategy manager at Jamf [6], emphasized the risks associated with these vulnerabilities, particularly the potential for CVE-2024-53150 to enable unauthorized access to sensitive information [6]. Google has urged all Android partners to promptly roll out these updates to ensure widespread protection [2], and source code patches for these vulnerabilities will be available in the AOSP repository within the next 48 hours [2]. Users are urged to apply security updates promptly to protect against these threats [5].
Conclusion
The April 2025 security update is crucial for safeguarding Android devices against significant vulnerabilities that could lead to unauthorized access and data breaches. Users are strongly encouraged to apply these updates immediately to protect their devices. The ongoing exploitation of these vulnerabilities highlights the importance of timely security updates and the need for continued vigilance against emerging threats. As these vulnerabilities have been linked to sophisticated surveillance tools, it is imperative for both users and manufacturers to prioritize security measures to mitigate potential risks.
References
[1] https://www.heise.de/en/news/Android-patchday-Attackers-exploit-gaps-in-the-USB-audio-driver-10343980.html
[2] https://gbhackers.com/google-patches-android-0-day-vulnerability/
[3] https://cybersecuritynews.com/google-patched-android-0-day-vulnerability/
[4] https://cyberscoop.com/android-security-update-april-2025/
[5] https://socradar.io/april-2025-android-update-kernel-bugs-remote-privilege-escalation/
[6] https://www.infosecurity-magazine.com/news/android-update-address-two-zero/
[7] https://www.techradar.com/pro/security/actively-exploited-vulnerabilities-patched-on-android-in-latest-security-update
