Google has kicked off December with one of its biggest Android security updates of the year, patching 107 vulnerabilities, including two high-severity zero-days currently under active exploitation. The update – split across patch levels 2025-12-01 and 2025-12-05 – arrives as Android manufacturers prepare their final software pushes before the new year.
It’s the second-largest vulnerability patch count of 2025, underscoring how rapidly mobile threats are evolving and how critical OS-level security has become for both users and developers.
Google confirmed two zero-days in this month’s bulletin:
Both appear to be under “limited, targeted exploitation,” according to Google – language that typically signals attacks against specific users rather than widespread campaigns.
The company also highlighted CVE-2025-48631, a critical framework flaw enabling remote denial of service with no user interaction required.
The December update covers vulnerabilities across nearly every layer of the Android ecosystem, including:
Chipset vendors continue to play a major role in Android security, given how deeply integrated their drivers are with the OS. MediaTek, Qualcomm, and Unisoc each shipped patches addressing critical bugs that could allow code execution, memory corruption, or hardware-level compromise.
Google says source code for the patched vulnerabilities will be published to the Android Open Source Project within days.
As usual, Android device makers will release the patches individually after adapting them to their custom OS layers. Pixel devices typically receive updates first, followed by Samsung, OnePlus, and others over the coming weeks.
This fragmented update model is one of Android’s ongoing security challenges, as millions of devices may remain unpatched for months – or indefinitely – depending on manufacturer support cycles.
With the rise of advanced mobile malware, AI-assisted attacks, and increasingly complex supply chains, Android security will be shaped by:
Developers should be prepared for a year where app security isn’t just a backend concern – it’s a core part of the product experience.
Google’s December patch drop is more than a routine update – it’s a reminder of how dynamic and high-stakes mobile security has become. With 107 vulnerabilities addressed and multiple zero-days in the wild, the message is clear: app developers must stay proactive, test across OS versions, and build resilient security into every layer of their products.
Security is no longer a checkbox for 2026 – it’s a competitive advantage.
Quick answers to your questions. need more help? Just ask!
.webp)
"The framework every founder needs before signing their next development contract."
OpenAI hired the OpenClaw founder to build personal AI agents that work across your entire digital life. This isn't a product update — it's a directional signal. The shift from 'apps you use' to 'systems that act for you' is happening faster than the industry is admitting.
Up from less than 5% in 2025. That's not a trend — that's a phase change. The uncomfortable part isn't the number. It's what the companies building agent-native right now are going to look like compared to everyone else in 18 months.
.webp){kind=spacer}
.webp)
.webp)
.webp)
.webp)