Google fixes Android zero-days exploited in attacks, 60 other flaws

April 8, 2025

Android

Google has released patches for 62 vulnerabilities in Android's April 2025 security update, including two zero-days exploited in targeted attacks.

One of the zero-days, a high-severity privilege escalation security vulnerability (CVE-2024-53197) in the Linux kernel's USB-audio driver for ALSA Devices, was reportedly exploited by Serbian authorities to unlock confiscated Android devices as part of a zero-day exploit chain developed by Israeli digital forensics company Cellebrite.

This exploit chain—which also included a USB Video Class zero-day (CVE-2024-53104) patched in February and a Human Interface Devices zero-day (CVE-2024-50302) patched last month)—was discovered by Amnesty International's Security Lab in mid-2024 while analyzing logs found on devices unlocked by Serbian police.

Google told BleepingComputer in February that these fixes were shared with OEM partners in January.

"We were aware of these vulnerabilities and exploitation risk prior to these reports and promptly developed fixes for Android. Fixes were shared with OEM partners in a partner advisory on January 18," a Google spokesperson told BleepingComputer.

This month's second zero-day fixed (CVE-2024-53150) is an Android Kernel information disclosure vulnerability caused by an out-of-bounds read weakness that enables local attackers to access sensitive information on vulnerable devices without user interaction.

The March 2025 Android security updates also patch 60 other security vulnerabilities, most of which are high-severity elevation of privilege flaws.

Google issued two sets of security patches, the 2025-04-01 and 2025-04-05 security patch levels. The latter provides all the fixes from the first batch and security patches for closed-source third-party and kernel subcomponents, which may not necessarily apply to all Android devices.

Google Pixel devices receive these updates immediately, while other vendors often take longer to test and fine-tune the security patches for their specific hardware configurations.

In November 2024, Google also fixed another Android zero-day (CVE-2024-43047), first tagged as exploited by Google Project Zero in October 2024 and used by the Serbian government in NoviSpy spyware attacks against Android devices belonging to activists, journalists, and protestors.