Android’s Latest Security Update Fixes 120 Flaws, with Two Under Active Attack

Google issues an urgent September patch bundle with fixes for high-severity vulnerabilities already being exploited.

Record-breaking September security update

Android has rolled out its biggest security release of the year, pushing 120 fixes to users worldwide. In contrast to the July update, when no new patches were deemed necessary, the urgency of this patch bundle is clear: threat actors are already leveraging two vulnerabilities in what Google describes as “limited, targeted exploitation.”

The flaws, CVE-2025-38352 in the Linux kernel and CVE-2025-48543 in Android’s runtime environment, allow privilege escalation without user interaction. While Google has yet to identify the attackers, researchers suspect spyware vendors are exploiting the weaknesses. Hong Kong’s cybersecurity response team has strengthened the company’s warnings, pointing to evidence of small-scale, targeted activity.

Fixed Qualcomm and Imagination Technologies issues

Beyond the headline-grabbing vulnerabilities, the update also addresses three critical flaws in Qualcomm components. These include issues affecting GPS systems, mobile data stacks and call processors, including one with a severity score of 9.1 out of 10. Qualcomm has recently extended its device support period to as long as eight years, a move widely seen as aligning with Google’s push for longer software lifecycles.

Imagination Technologies, the company behind the PowerVR graphics chips found in many Android devices, has also received attention in this patch bundle, as 10 high-severity issues in its GPU drivers have been patched.

A worrying critical flaw in the System component

While most of the fixes are labeled high severity, one additional flaw in Android’s core system stands out. Tracked as CVE-2025-48539, this flaw is a remote code execution (RCE) vulnerability that could, in theory, let attackers compromise a device without physical access.

Unfortunately, the fragmented Android ecosystem often slows patch distribution. While Google’s Pixel phones receive updates immediately, other manufacturers take longer, leaving millions of devices exposed.

Google currently holds only about four percent of the US smartphone market, meaning most Android users rely on manufacturers like Samsung and Motorola to roll out updates. As of now, neither company has indicated when users can expect these patches.

Adding an extra layer of security beyond patching

Installing security patches as soon as they arrive is always crucial. Doing so can close the very holes attackers are targeting in vulnerable systems. Still, vulnerabilities can be exploited before fixes reach every device, and that’s where specialized security tools come in.

Solutions like Bitdefender Mobile Security for Android provide an additional shield by blocking malware, phishing attempts and suspicious apps in real time. While not a substitute for security patches, specialized tools can help protect users during the often long wait for manufacturers to deliver patches.