Critical Android Zero-Day Exploited in Targeted Attacks for Full Device Control A high-severity Android zero-day vulnerability, tracked as CVE-2025-48595, is being actively exploited in targeted attacks, allowing threat actors to gain near-complete control over affected devices without user interaction. The flaw, disclosed in Google’s June 2026 Android Security Bulletin, resides in the Android Framework and enables elevation-of-privilege (EoP) exploitation under specific conditions. Attackers can leverage the vulnerability remotely to escalate privileges without requiring additional permissions, turning a limited compromise into full device takeover. Google confirmed real-world exploitation in the wild, though details on the scope and targets remain limited. The incident underscores the risks posed by privilege-escalation flaws, particularly when actively weaponized. Rapid patch deployment is critical to mitigating exposure, as the vulnerability affects multiple Android versions. No further technical details or attribution have been publicly disclosed.

Google Patches Critical Zero-Click Android RCE Vulnerability in May 2026 Update Google has disclosed a severe remote code execution (RCE) vulnerability in Android, tracked as CVE-2026-0073, which allows attackers to gain unauthorized access to devices without any user interaction. The flaw, rated critical, resides in the Android Debug Bridge daemon (adbd), a core system component used by developers for device communication and command execution. Exploiting this vulnerability requires only proximity to the target device either on the same local network or within physical range making it a zero-click attack that bypasses traditional security measures. Once exploited, attackers can execute arbitrary code with "shell" user privileges, evading application sandboxes and gaining deep system access. The issue affects Android 14, 15, 16, and 16-QPR2, as adbd is a Project Mainline component distributed via Google Play system updates. Google addressed the flaw in the May 1, 2026, security patch, with hardware partners notified in advance to prepare over-the-air (OTA) updates. Patches have also been released to the Android Open Source Project (AOSP) to ensure broader ecosystem security. Users are advised to verify their device’s security patch level is May 1, 2026, or later and check for pending Google Play system updates, particularly on devices running Android 10 or newer. The fix mitigates a high-risk threat, as the flaw’s zero-click, proximity-based nature makes it an attractive target for advanced threat actors.

Google Patches 130 Android Vulnerabilities, Including Exploited Zero-Day Google released its March 2026 Android security updates, addressing nearly 130 vulnerabilities one of which is an actively exploited zero-day. The flaw, tracked as CVE-2026-21385 (CVSS 7.8), affects the graphics component in over 200 Qualcomm chipsets, stemming from an integer overflow issue that could lead to memory corruption during memory allocation. Exploitation of the bug could allow attackers to bypass security controls and gain unauthorized system access, according to Jamf’s Adam Boynton. Qualcomm first received the report from Google’s Android Security team on December 18, 2025, notified customers on February 2, and publicly disclosed the vulnerability on March 3, 2026. Google’s security bulletin confirms limited, targeted exploitation in the wild, though no attack details were provided. Such vulnerabilities are frequently leveraged by commercial spyware vendors. The fixes are split across two patch levels: - 2026-03-01: Addresses over 50 vulnerabilities in the Framework and System components, including critical remote code execution (RCE) and denial-of-service (DoS) flaws. The most severe a System component bug could enable RCE without user interaction or additional privileges. - 2026-03-05: Resolves 60+ vulnerabilities in kernel, Arm, Imagination Technologies, MediaTek, Unisoc, and Qualcomm components, including CVE-2026-21385. Devices updated to 2026-03-05 or later are protected against all patched issues. Google also released fixes for two Wear OS vulnerabilities in its Framework and System components, incorporating all March Android security patches. No platform-specific updates were issued for Android Automotive OS or Android XR this month.

New Android RAT "Oblivion" Bypasses Security Protections, Grants Full Device Control Security researchers at Certo have identified Oblivion, a sophisticated Android Remote Access Trojan (RAT) targeting devices running Android 8 through 16. Sold on a subscription basis starting at $300, the malware is designed to evade detection and grant attackers persistent control over infected devices. Oblivion is marketed as compatible with heavily customized Android systems from manufacturers like Samsung, Xiaomi, and Oppo. Its package includes a builder tool, allowing buyers to generate malicious apps with custom names and icons, alongside a dropper that mimics legitimate update prompts. Infection typically occurs when users install apps from unofficial sources, though the malware’s polished interface suggests careful refinement to enhance credibility. A key feature of Oblivion is its abuse of Android’s Accessibility Service a feature intended to assist users with disabilities to bypass manual permission approvals. Once active, the malware can silently intercept SMS messages, two-factor authentication (2FA) codes, and push notifications, while also logging keystrokes in real time. Attackers gain remote control capabilities, including the ability to launch or remove apps, unlock devices using stolen credentials, and interact with the device through concealed sessions, all while displaying fake overlays to deceive the user. The malware employs anti-removal mechanisms to block attempts to revoke permissions or uninstall it, and its icon suppression further conceals its presence. Despite Google’s efforts to restrict Accessibility Service abuse, Oblivion reportedly bypasses protections even on the latest Android versions, highlighting persistent gaps in platform-level defenses. Unlike traditional malware relying on technical exploits, Oblivion’s effectiveness stems from social engineering and automation. Its subscription-based model lowers the barrier for attackers, enabling even those with minimal expertise to gain control over devices, exfiltrate sensitive data, and manipulate apps remotely. The emergence of such tools underscores the growing threat posed by commercially available malware and the challenges in detecting evolving attack methods.