Google has released its April 2025 Android security update, addressing 62 vulnerabilities, including two high-severity flaws that are currently under active exploitation. These vulnerabilities, CVE-2024-53150 and CVE-2024-53197, were first disclosed in December and affect the Linux kernel’s USB audio driver.
According to Google, CVE-2024-53150 poses the highest risk with a CVSS score of 7.1, enabling attackers to access potentially sensitive data. Meanwhile, CVE-2024-53197 is part of a zero-day exploit chain attributed to Israel-based forensics firm Cellebrite. This exploit chain was reportedly used by Serbian security services to hack the device of a youth activist, as revealed by Amnesty International.
Beyond the two active threats, the update also includes
- 2 critical and 12 high-severity flaws in the Android system
- 1 critical and 13 high-severity flaws in the Android framework
- Fixes for vulnerabilities across MediaTek, Qualcomm, Arm, and Imagination Technologies components
The April update introduces two patch levels, 2025-04-01 and 2025-04-05, giving manufacturers flexibility in rolling out the security enhancements.
Pixel device owners will receive the update immediately, while other Android manufacturers will deploy the patch following their custom OS adaptation processes. Google confirmed that all fixes will be added to the Android Open Source Project (AOSP) by Wednesday.
This latest update highlights the ongoing threat posed by zero-day exploits and reinforces the importance of regular Android security patches for protecting user data.
