Two critical flaws hit Android—millions patched, but 1 billion older phones left vulnerable

Google has confirmed that Android phones are under active attack, with two serious vulnerabilities already being exploited in the wild. While Pixel devices will be patched immediately, more than a billion older Android phones will remain permanently exposed.

The flaws, catalogued as CVE-2025-38352 and CVE-2025-48543, affect the Android Kernel and the Android Runtime. Google has classified them as “high severity” and revealed that exploitation requires no user interaction, meaning attackers can gain escalated privileges on a device without any additional permissions.

In addition to those two zero-days, Google’s September update includes four further critical fixes. One targets the Android System (CVE-2025-48539), while three affect Qualcomm chipsets (CVE-2025-21450, CVE-2025-21483 and CVE-2025-27034). Patches for those issues will be rolled out by manufacturers over the coming weeks as they update their own firmware and monthly bulletins.

Pixel owners will receive protection immediately, but users of other brands face the usual delays as patches filter through OEMs’ release cycles. “Eligible devices will be updated,” Google said, stressing that manufacturers will receive the fixes within 48 hours. The bigger issue is for older phones.

Google reminded users that only devices still covered by monthly security updates will be protected. An estimated one billion Android devices are already beyond that support window, many running outdated operating systems that cannot be upgraded. For them, the security flaws are permanent.

That reality underlines the fragmented nature of the Android ecosystem, where different manufacturers maintain their own update schedules—and many users fail to receive critical fixes in time, if at all.

Security researchers warn that this problem is only getting worse. Mobile security firm Zimperium estimates that 25.3% of Android devices cannot be updated at all due to age. Meanwhile, at any given moment, more than half of active devices worldwide are running outdated operating systems. Many of those are already compromised.

For affected users, the advice is stark: upgrade your phone. Without the ability to install security patches, older devices remain vulnerable to attacks that can steal data, install spyware, or hijack functions. “Until you do, your data and your device are at risk,” analysts warn.

The announcement is part of Google’s monthly Android Security Bulletin, which has become a key barometer for device health across the mobile ecosystem. While it highlights Google’s responsiveness in addressing newly discovered flaws, it also exposes the widening gap between supported and unsupported phones.

The stakes are especially high because of the nature of the vulnerabilities. Both of the zero-days confirmed as actively exploited can allow privilege escalation without user interaction. In practice, this means attackers don’t need to trick users into clicking malicious links or installing rogue apps. The flaw itself provides the entry point.

For consumers, the lesson is clear: keep your phone up to date and pay attention to manufacturer support timelines. If your handset is no longer eligible for Google’s monthly patches, it’s not just obsolete—it’s unsafe.