The February 2025 Android security update addresses 48 vulnerabilities, including a zero-day kernel flaw that has been actively exploited in real-world attacks.
This high-severity vulnerability (CVE-2024-53104) is a privilege escalation bug found in the USB Video Class (UVC) driver of the Android Kernel. It allows authenticated local attackers to gain elevated privileges through a low-complexity exploit.
The root cause of this flaw lies in the improper parsing of UVC_VS_UNDEFINED frame types within the uvc_parse_format function. Due to an incorrect frame buffer size calculation, attackers can trigger out-of-bounds writes, leading to arbitrary code execution or denial-of-service (DoS) attacks.
Additional Security Fixes in February 2025 Update
Beyond this actively exploited zero-day, the latest Android security patches also address a critical vulnerability affecting Qualcomm’s WLAN component.
Tracked as CVE-2024-45569, this flaw stems from firmware memory corruption caused by an improper array index validation when parsing ML IE frame content.
Exploiting CVE-2024-45569 allows remote attackers to execute arbitrary code, modify memory, or crash affected systems—all without requiring user interaction or elevated privileges.
Android Security Patch Levels & Device Updates
Google has rolled out two patch levels for February 2025:
- 2025-02-01: Includes core security updates.
- 2025-02-05: Builds on the first patch set and adds fixes for closed-source kernel and third-party components (relevant to specific devices).
While some manufacturers may push out the initial patch set first for faster deployment, this does not necessarily indicate a higher exploitation risk.
Google Pixel devices receive security updates immediately, whereas other manufacturers may take longer to test and optimize patches for different hardware configurations.
Past Exploited Android Zero-Days
In November 2024, Google addressed two more actively exploited vulnerabilities (CVE-2024-43047 and CVE-2024-43093), both leveraged in targeted cyberattacks.
Google’s Project Zero flagged CVE-2024-43047 as actively exploited in October 2024. Reports later revealed that it was weaponized by the Serbian government in NoviSpy spyware operations, targeting activists, journalists, and protestors through compromised Android devices.