Picture yourself locking the front door, rigorously checking it, setting the alarm, and only then discovering someone had walked in anyway. That’s a bit of a feeling of owning an Android phone these days. Welcome to Android 2025, where monthly updates are less about features nowadays and more about preventing forensic-level intrusions. For the third month in a row, Google confirmed Android phones were under attack, and what was to be yet another boring security patch is now ringing emergency alarm bells. These vulnerabilities are under active exploitation, and among the exploiters.

In Google’s April update, two critical vulnerabilities have been brought forth, namely CVE-2024-53150 and CVE-2024-53197. They aren’t any ordinary bugs, rather they are marked by Google as “under limited, targeted exploitation.” These vulnerabilities have been exploited in the wild by forensic tools used by law enforcement agencies, such as Cellebrite.

Two Vulnerabilities under Exploitation

The first one, CVE-2024-53150, tends to concern memory related vulnerability in the Android kernel. It can allow the attackers to extract local data. CVE-2024-53197 is the second blow that landed even harder and is much worse in the context. It has an association with one of the vulnerabilities previously managed by Cellebrite, a vendor of forensic investigation services embraced by law enforcement agencies, with regard to data retrieval from smartphones, even locked ones. This further raises issues that were brewing against the security of devices that most people believe are locked safely away.

Its repercussions goes beyond that, such exploits are not limited to careless users. The attacks are usually designed to leave ordinary protection mechanisms behind them, and the average user pays no attention to knowing that their device has already been compromised.

A Backlash to Samsung

Samsung recently received a backlash for not having CVE-2024-50302 vulnerability repaired. It was known to be under attack and was patched by Google earlier in its March update for its users of Pixel devices. A fix was only made available for Samsung users in April, effectively leaving millions of devices exposed for weeks.

Though the delay was not an exception in this case, Samsung has faced added scrutiny over the years for falling behind and its tendency of dragging its feet compared to Google in patching vulnerabilities. This is now a downside in today’s world of practical active exploits and attacks.

An Unexpected Leap for Samsung

This month marks a rare turnaround. This is the first time in several cycles that Samsung has included both of Google’s April zero-day patches, CVE-2024-53150 and CVE-2024-53197 in its own April update. This is an extremely rare instance of synchronized patching between Pixel and Samsung, while it can be welcomed immediately, it also stresses how grave the threat has become.

Currently the pressure to roll out timely updates, especially with forensic grade exploits increasingly targeting Android’s most secure configurations is at peak. Google might be setting the pace, but Samsung cannot afford to further slowdown.

GrapheneOS Confirms the Exploits

GrapheneOS, a security-focused Android distribution made it clear about the severity of this situation. According to the developers, both of the vulnerabilities patched this month had been in actual use for extracting data from locked Android devices. These vulnerabilities are for locked devices and their hardened OS makes it much harder to exploit while the phone is unlocked.

According to GrapheneOS,

“2 more vulnerabilities marked as being exploited in the wild are both vulnerabilities for locked devices, which its software made both far harder to exploit while unlocked. Both vulnerabilities were being exploited by Cellebrite for data extraction from locked Android devices.”

They further declared that the hacking methods constituted parts of Cellebrite’s toolkit, which just goes to highlight how far the attackers have advanced with their methods in penetrating what were thought to be virtually unbreakable modes of encryption and software locking. This is a wakeup call, the compromise threshold is now assumed to be much lower than users would expect. An updated non-locked device could be breached and an old locked device does not guarantee security.

Perfect Timing for Android 15 Rollout

It is perfect timing since One UI 7 / Android 15 upgrade should be rolled out around this time for Samsung’s flagship 2023 and 2024 models. This update secures additional features, including advanced memory protections, further strengthening data exfiltration defenses against attacks even at the forensic level.

Some would say it could hardly be a coincidence. It is becoming apparent that Google and Samsung are taking the frustration that is the rising threat from security surveillance tools intending to break mobile security on a large scale. With every patch, the intention and message is clear, that the rate of growth for software defense along the lines of whatever threat is being posed must keep pace and evolve with the threats.

Android 16

With due consideration to future developments, Android 16 will be introduced with a feature modeled after Apple’s so-called non-activity reboot,a mechanism for automatically rebooting the phone after extended periods of inactivity. This is a simple yet effective idea where a clean boot effectively invalidates many long-lasting exploits, and the clean boot simply will make it harder for the attacker to maintain access into the system. Exploits today are increasingly focused on phones that can run weeks without restarts, this is the evolving threat landscape where, even a reboot becomes a weapon of defense.

Security a Necessity

Definitely the latest Android update emphasizes for its users that security is no longer background checked but indeed has become the frontline in smartphone experience. With surveillance technology advancing so rapidly, regular updates are not a choice anymore. It is not just another patch for users with Samsung and Pixel devices, this update serves as a reminder that even the most secure of phones are now vulnerable. The question is no longer if your device is subject to hacking, it’s about when.