Sign in / up

back to article Two Android 0-day bugs disclosed and fixed, plus 105 more to patch

Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin.  The two vulnerabilities are CVE-2025-48633, an information-disclosure flaw in Android's framework component, and CVE-2025-48572, an elevation-of-privilege bug also in the framework …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Nate Amsden Silver badge

    Have to be patient

    The article makes it sound as if the users have control and can just go update their devices, when in reality of course they are more often than not in a situation where they have to wait for their carrier or device manufacturer to release the updates(assuming they release them at all).

    I know El reg knows this as well, which is why the tone of the article was rather odd to me.

    For me, I will upgrade to Android 15 soon on my S24 Ultra. Samsung has underestimated my ability to dismiss their upgrade notifications 5-6x per day every day the past 6 months, and unlike security updates, upgrades cannot be forced on devices(well at least not on my device after I set some setting that I forgot what setting it was now).

    Samsung also underestimates my ability to dismiss their requests for me to agree to their new privacy policy ("in order to get access to the latest offers and perhaps AI stuff")!

    I am generally pretty careful what I use my phone for though, such as disabling auto MMS download, I really don't use it for any payments, or buying online(unless it's a last resort), I use my computer for that stuff.

    I'd be happier if rather than major version upgrades to just get the security patches for as long as a particular version of Android is supported, and only when support is gone entirely upgrade to the next version. Reality is of course most carriers(perhaps manufacturers too) I think abandon the older versions the moment a new version comes out. So for example I am on Android 14, which from what I can see still gets security updates from Google, but those updates don't get to me since my carrier/manufacturer wants me to upgrade to 15 instead.

    10 2 Reply
    1. DCdave
      Reply Icon

      Re: Have to be patient

      Yes, Samsung's insistence on tying security and non-security updates together is getting annoying, and even more so with the attempted forced updates and new T&Cs, such that I am tempted to look around for my next phone, rather than just taking the latest Samsung. However, there's no longer as much choice and they know that.

      But I don't think your carrier is blocking security only updates that Google issue, just that most manufacturers do not make them available as a separate patch when Google issues a fix (which is only code, not an actual patch), they integrate them into their overall build.

      1 0 Reply
      1. MiguelC Silver badge
        Reply Icon

        Re: Have to be patient

        Not even my Google Pixel has received this update, so it seems ElReg jumped the gun a bit here

        4 0 Reply
        1. DCdave
          Reply Icon

          Re: Have to be patient

          Samsung have officially released the fixes, though (as have Google), however it's a staged rollout globally. Typically these days I get them about 3 weeks after release, which is.....suboptimal, particularly for critical fixes.

          1 0 Reply
    2. Irongut Silver badge
      Reply Icon

      Re: Have to be patient

      > I will upgrade to Android 15 soon on my S24 Ultra

      You're a couple of versions behind. My S22 Ultra upgraded to Android 16 a couple of months ago.

      Your phone is vulnerable to many, many security issues that have been patched and have exploits in the wild. And you chose for it to be that way.

      2 0 Reply
    3. Irongut Silver badge
      Reply Icon

      Re: Have to be patient

      > I will upgrade to Android 15 soon on my S24 Ultra

      You're a couple of versions behind. My S22 Ultra & A33 upgraded to Android 16 a couple of months ago.

      Your phone is vulnerable to many, many security issues that have been patched and have active exploits in the wild. And you chose for it to be that way.

      > Reality is of course most carriers(perhaps manufacturers too) I think abandon the older versions the moment a new version comes out.

      My S22 & A33 both just recieved the Nov 2025 security update. Both are over 3 years old and released with Android 12, currently running Android 16. In what way have they been abandoned?

      2 0 Reply
  2. Ken Hagan Gold badge

    Does this matter?

    It seems that phones go out of support every other month (depending on vendor and model) and if you stopped 100 people in the street and asked them whether their phone was up-to-date probably only half a dozen could give you an accurate answer. Of the same group, how many are doing banking and shopping payments on that device? Apparently almost no-one cares.

    Contrast with the situation on PCs where the imminent demise of Win10 support was headline news and loads of people fretted over whether it was safe to use their PC if they didn't upgrade.

    So where is the truth here? Are most phones recklessly unsafe, or do we worry needlessly about our PCs, or is there a technical reason why it is OK to do financial transactions on a phone but not a PC?

    (I was asked this recently and while my gut feeling leans towards the first option, I am genuinely in some doubt because the rest of the world seems to favour the other two and the sky has not fallen in.)

    11 0 Reply
    1. Nate Amsden Silver badge
      Reply Icon

      Re: Does this matter?

      I think in most cases, for most users, the biggest threat is just installing super questionable apps, which I think most users don't generally do. Think of the news stories about various at least Android apps that have been found to be malicious. Their install bases tend to be tiny compared to the market as a whole. So your personal risk factor in general is quite low regardless of how your device is patched.

      I have said for a long time, the best form of security is "don't be a target". Most people are not targets. People that are targets, don't really have much choice (thinking politicians, perhaps journalists, important leaders etc). A nation state(or similar) is not likely to deploy their fancy malware broadly, they want to target those that they really want to get and not let the world know what they are exploiting and how. You may get hit anyways, but in my 30 years on the internet the real world likelihood of that happening is super remote(was much more likely 25 years ago when people were directly connecting their operating systems to the internet with dialup modems)

      For computers, really just keep your browser relatively up to date(even Windows 7 still has Firefox being officially supported through ESR for a few more months!), and if you need to go to a website that is questionable ... (I would say gaming sites especially those that offer cracks and stuff, along with the "free" porn sites) use another computer or at least use a VM or isolated browser to do that stuff, and be sure to have decent security software installed(maybe you trust windows defender enough, or maybe not.. assuming you use windows - I've used linux on my desktop/laptop since 1998), and don't connect directly to public networks(includes public wifi etc) unless as a last resort. I'll tether to my phone in the rare cases that I am traveling with a laptop before I consider public wifi, or even hotel wifi, for me all of that is last resort. It's PROBABLY FINE, but I'd rather not if I have an alternative.

      7 0 Reply
  3. VoiceOfTruth Silver badge

    >> is there a technical reason why it is OK to do financial transactions on a phone but not a PC

    Probably not technical. At least not yet. If banking apps, including apps used to authenticate transactions - such as PayPal - start depending on a minimum Android version, that will kill internet banking as we know it. It will exclude a lot of people who use older phones.

    1 6 Reply
    1. David Pearce
      Reply Icon

      Some already do

      HSBC for a start demand minimum OS versions

      2 0 Reply
      1. VoiceOfTruth Silver badge
        Reply Icon

        Re: Some already do

        Yes, I get your point on this. I perhaps should have been clearer - when the banks start depending on the latest or latest -1 versions. This happens quite often with desktop software, Macs included.

        0 3 Reply
    2. Joe W Silver badge
      Reply Icon

      Some banking apps to do MFA (well... yeah...) depend on a certain minimum version of the phone OS. So we are there already (for some banks and some customers).

      2 0 Reply
  4. Anonymous Coward
    Anonymous Coward

    Update vs banking apps

    I had a look today, what I would have to do to install lineageOS on my 5y old phone - it's still working fine for me -

    and get the revolut app working, cause they dont accept rooted device and lineageOS neither.

    zygisk next, zygisk assistant,, play integrity fork, tricky store and tricky store addon modules, HMA-OSS, PIF inject and god knows how many steps to get it working

    Not sure if i'll be safer with outdated stock rom and secutiry patches or this patched lineage - not sure all those mods are all that safe

    I pisses me off that sec updates are tied to the manufacturer

    1 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon