Android Framework: Actively Exploited Integer Overflow Zero-Day CVE-2025-48595
A critical integer overflow vulnerability in the Android Framework, identified as CVE-2025-48595, is being actively exploited in the wild to achieve unauthorized privilege escalation. Threat actors utilize this flaw to deploy "Landfall," a sophisticated commercial-grade spyware suite designed for clandestine surveillance and data exfiltration. By leveraging this zero-day alongside CVE-2025-48593, attackers can bypass security boundaries to gain system-level access and complete device control. This exploitation allows for the interception of sensitive personal and enterprise data, bypassing traditional network-level security controls. Google addressed these vulnerabilities in the June 2026 Android Security Bulletin.
Google Patches Actively Exploited Zero-Day in Android Framework CVE-2025-48595
Google has remediated CVE-2025-48595, a high-severity integer overflow vulnerability within the Android Framework currently leveraged in limited, targeted attacks. The flaw enables local privilege escalation (LPE) by allowing an attacker—who has already achieved initial code execution via a malicious application or browser exploit—to break the Android security sandbox and gain full system or root-level access. With a CVSS score of 8.4, the exploit requires no user interaction for the escalation phase. Due to its active exploitation, CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agency remediation by June 5, 2026.
Exploitation of Tizen, WebOS, and Android TV for Residential Proxy Botnets
Threat actors and commercial entities are leveraging Smart TV ecosystems—specifically Samsung Tizen, LG WebOS, and Android TV—to establish massive residential proxy networks. Attackers exploit OS-level vulnerabilities in Tizen (versions through 9.0) and WebOS, alongside exposed Android Debug Bridge (ADB) ports on Android TV devices, to deploy botnets like Kimwolf. Concurrently, "gray-market" commercial actors embed SDKs (e.g., Bright Data/Luminati) within free consumer applications to hijack outbound bandwidth. This dual-vector approach enables large-scale web scraping, unauthorized monetization of consumer IP reputation, and significant privacy erosion by transforming always-on residential devices into high-bandwidth proxy exit nodes.
Microsoft Android Apps: Token Exposure via Manifest Misconfiguration
A production misconfiguration in six Microsoft 365 Android applications—Word, PowerPoint, Excel, Microsoft 365 Copilot, Microsoft Loop, and OneNote—exposed billions of installations to unauthorized Microsoft account (MSA) token theft. The vulnerability stemmed from a debug flag, IsDebugMode(true), erroneously shipped in production binaries. This setting disabled critical isolation mechanisms designed to restrict OAuth 2.0 tokens to authorized Microsoft applications, allowing malicious third-party apps on the same device to intercept sensitive tokens via Android Inter-Process Communication (IPC) and Intents. Successful exploitation enables full Account Takeover (ATO), bypassing authentication boundaries to grant unauthorized access to sensitive cloud data, including Outlook emails and OneDrive documents.