Google is advising Android users on how to address two exploited security vulnerabilities.

Android users have been warned by Google about software vulnerabilities that could allow personal data theft. According to Google's Android Security Bulletin for this month, these flaws have already been exploited. The two highlighted software flaws are CVE-2025-38352 and CVE-2025-48543 and Google indicates that these operating system flaws may be under limited, targeted exploitation.

The first flaw, CVE-2025-38352, impacts the Android Kernel, which is responsible for system operations. The vulnerability occurred in the part of the system managing app alarm clocks, which schedule tasks. Problems can arise when two parts of the system simultaneously clear timers, potentially enabling a hacker to gain elevated controls and access deeper system functions.

Google addressed this with a patch included in the recently released September 2025 Android update. To verify that an Android phone is updated, users can go to Settings > About Phone > Android version > Android security update. The flaw is patched if the date is September 5, 2025, or later. Otherwise, an immediate phone update is recommended.

The second flaw, CVE-2025-48543, involves a serious vulnerability within Android Runtime (ART), the component that runs apps. The issue is a memory handling error. This is analogous to a hotel that provides a room key, deletes the room, but doesn't cancel the key. An intruder with the key could still enter and seize the room.

A hacker could create a malicious app exploiting this flaw to obtain unwarranted permissions, allowing the malicious app to control system processes typically reserved for Google or the phone manufacturer. This could lead to unauthorized access to personal data and app credentials, like passwords.

Google believes that these flaws have been exploited, possibly targeting specific Android users like journalists, government employees, and activists.

Google issued a fix in the September 2025 Android update. Checking for the update involves navigating to Settings > About Phone > Android version > Android security update. If the date is September 1, 2025, or later, the phone is protected. If not, users should update their phones promptly.

The concerning aspect is that CVE-2025-38352 and CVE-2025-48543 can be exploited without user interaction. This means that simply downloading a malicious app is enough to trigger the attack, without requiring users to click links, open attachments, or grant permissions.

Consider a seemingly harmless coloring app. Typically, such malware attempts to trick users into clicking a link or pressing a button after installation. However, this type of malicious app can execute its attack silently in the background once downloaded, without any further action required from the user.

Users should prioritize installing the latest monthly security releases.

Coming soon: "Iconic Phones: Revolution at Your Fingertips," a coffee table book for tech enthusiasts that explores the technological revolution of the 21st century.