Android security crisis: Cybercriminals and law enforcement agencies are currently exploiting two severe vulnerabilities. Google’s latest security bulletin reveals that Serbian police used a flaw to deploy spyware on activists’ devices. Let’s explore how these exploits work and what users need to know.
Critical Android vulnerabilities discovered in March security update
Google’s March 2025 security bulletin has uncovered 43 vulnerabilities within Android’s code. Security researchers at the tech giant identified 11 high-severity flaws and 10 critical vulnerabilities among these issues. This monthly security update follows Google’s established practice of classifying all vulnerabilities according to three risk levels: moderate, high, and critical.
Most concerning are two specific vulnerabilities that Google confirms are “being actively exploited in limited, targeted attacks.” Rather than being used in large-scale cyberattacks, these flaws are currently deployed in precise operations against specific targets. This targeted approach suggests sophisticated threat actors with clear objectives rather than opportunistic hackers.
Security experts note that such targeted exploitation patterns often indicate nation-state actors or advanced cybercriminal groups with significant resources. The fact that government agencies have been implicated in using one of these vulnerabilities further supports this assessment.
Data theft vulnerability requires user interaction
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) initially flagged the first actively exploited vulnerability in November 2024. This flaw enables attackers to elevate their access privileges without requiring additional authorizations, potentially leading to serious security breaches.
Once exploited, this vulnerability allows malicious actors to steal sensitive data or compromise the entire system by implanting malware. The attack vector requires some form of user interaction to succeed, meaning victims must inadvertently take some action that triggers the exploit. Attackers cannot successfully compromise their devices if users avoid falling for the associated social engineering techniques.
All devices running Android 11 through 14 are particularly vulnerable to this exploit. Security researchers recommend that users be especially cautious about installing applications from unknown sources or clicking on suspicious links until they’ve updated their devices with the latest security patches.
Serbian police exploiting Linux kernel vulnerability for surveillance
The second critical vulnerability affects the Linux kernel’s Human Interface Device (HID) component, which manages user interactions with the system. By exploiting this flaw, attackers can read sensitive kernel memory areas, potentially compromising system performance and security.
This vulnerability requires attackers to already have local access and limited privileges on the target system. When used within an attack chain, it enables the deployment of spyware on victims’ smartphones. What makes this vulnerability particularly alarming is its documented use by Serbian police forces for surveillance purposes.
Serbian authorities reportedly exploited this vulnerability to monitor journalists and activists. Law enforcement would use police station visits or interrogations to install a surveillance tool called NoviSpy on targets’ phones. This state-sponsored exploitation raises serious concerns about digital privacy and highlights how government agencies can weaponize vulnerabilities.
Security patches deployment timeline
Google has responded to these threats by deploying two security updates this month. Beyond the standard monthly patch, additional updates have been released to address vulnerabilities in third-party components and the Android kernel itself. This dual approach provides greater flexibility for Android smartphone manufacturers to implement fixes.
The security patch code has been integrated into the Android Open Source Project (AOSP), allowing device manufacturers to incorporate these updates into their customized interfaces. However, the speed at which these critical fixes reach end users now depends entirely on how quickly manufacturers deploy them to their devices.
Users concerned about these vulnerabilities should check if the patch is available on their smartphones by navigating to Settings, then About device, and then Software update. If an update is available, users should install it immediately to protect their devices from these actively exploited vulnerabilities.
Security experts strongly recommend enabling automatic updates and regularly checking for pending security patches, especially given the severity of these exploits and their active use by both cybercriminals and law enforcement agencies.
