Google Confirms Android Attacks-No Fix for Most Samsung Users
23 comments
·December 8, 2025kelnos
> This [update] was rushed out to all Pixel users.
Pixel 8 here, still don't have the update. That's... not great.
nervysnail
I'd suggest you to use GrapheneOS.
xnx
No fix yet for Samsung. Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
bigbadfeline
> Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.
Being reliant on a single OS permanently nailed to the hardware is no less crazier. I'd like to be able to install another OS on a vulnerable device, it would help tremendously and not only with the security of that specific device.
Now I've got some expensive paperweights that I can't even use as such because every time I see them I have the urge to throw them in the trash can.
Provide a way to unlock the phones and a standard BSP, it should be the law.
ChocolateGod
I hoped with a move to Fuschia, Google would attempt to fix this, but unfortunately Fuschia on mobile is dead.
shwaj
It’s “Fuchsia” with a “chs” not a “sch”. Where do you get your information that it’s dead?
baal80spam
This requires user action, right? User needs to install the APK by hand? In other words - if I don't install any crap on my phone I am safe?
bigbadfeline
> if I don't install any crap on my phone I am safe?
We don't know. Practically no technical information is released about the bug, for what I care any play store app may exploit this at one time or another and there's no way to know. It's not like everyone and their CFO are shy of exploiting any user data they can get their greedy hands on.
purplehat_
The Forbes link unfortunately doesn't say much about how it works. This link does a little better:
https://github.com/Ashwesker/Blackash-CVE-2025-48633
The text there:
┌──────────────────────────┐
│ Attacker (C2 Server) │
└────────┬─────────────────┘
│ 1. Delivers malicious APK
│ (phishing, fake app store, drive-by)
▼
┌─────────────────────────────────────────────────────┐
│ Victim's Android 15 Phone │
│ (Security patch < 2025-12-01 → still vulnerable) │
└─────────────────────────────────────────────────────┘
│
┌──────────────┴──────────────┐
▼ ▼
User installs & opens Malicious app runs in background
"Fake Game / Tool" APK (no permissions needed for this CVE)
│
│ 2. App triggers vulnerable Framework API
│ (crafted Intent / Binder transaction)
▼
┌───────────────────────────────────┐
│ Android Framework (buggy) │
│ code in Parcel/Binder handling) │
└───────────────────────────────────┘
│
│ 3. Information Disclosure occurs
│ → Sensitive data leaked without user interaction
▼
Leaked data examples:
• Device ID / IMEI
• Installed app list
• Account tokens
• Contacts / SMS snippets
• Clipboard content
• Location history fragments
│
│ 4. Data silently sent back
▼
┌───────────────────────────────────┐
│ Attacker receives stolen data │
→ Can be sold, used for │
└───────────────────────────────────┘ spying, or chained with
other exploits (e.g. CVE-2025-48572)charcircuit
This isn't accurate and is just an AI hallucination.
pogue
So it sounds like if you don't sideload apps you would not be at risk, correct?
4ndrewl
Conveniently Google can use this to justify banning installs from unofficial stores.
nutjob2
> The Forbes link unfortunately doesn't say much about how it works.
True, it says almost nothing of value about the exploit, but it does teach us that 30% is almost one in three.
da_grift_shift
Is this guy going to make a slop repo for every new CVE in a high-profile product advisory so he can rack up some stars and put this shit on his resume? Jesus fuck.
This is just polluting the namespace and making it harder for blue teamers and incident responders to find actionable IOCs.
His repos either: lack a PoC and just contain a README with more emojis than facts; try to pass a public version checker off as a PoC; or invent a non-working PoC in the absence of technical details.
Bullshit asymmetry.
rew0rk
While the information leakage/disclosure is a big issue, It feels like its still a big jump to get users to install off-Play Store APKs?
resist_futility
nice list of vulnerabilities and source changes
https://source.android.com/docs/security/bulletin/2025-12-01
Squeeze2664
Is GrapheneOS affected?
bramhaag
GrapheneOS has patched this CVE back in September: https://grapheneos.social/@GrapheneOS/115647360248469626
jackwilsdon
From what I can tell, if you're running the latest security preview release[1] then it's already fixed: https://grapheneos.org/releases#2025120400
[1]: https://discuss.grapheneos.org/d/27068-grapheneos-security-p...
null
baaron
My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.
>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.
Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.