Google has published its December security bulletin confirming the fix for over one hundred vulnerabilities in AndroidThis patch package is particularly important because it includes several critical flaws and two zero-day vulnerabilities that were already being exploited in targeted attacks. The update is being rolled out gradually to compatible mobile devices worldwide, including those sold in Spain and the rest of Europe.
In total, the bulletin includes 107 security flaws spread across the framework, operating system, kernel and third-party closed-source componentsMany of these fixes come in two patch levels, dated December 1st and 5th, which manufacturers integrate into their own customization layers before making them available to users.
More than 100 vulnerabilities: what Google has fixed
Google's technical document details that The 107 vulnerabilities affect different layers of AndroidStarting with the framework itself (the foundation on which many system functions and apps run), moving through the system, the Linux kernel, and ending with proprietary third-party components integrated into numerous mobile phones.
This package includes the following two faults classified as zero-day, identified as CVE-2025-48633 and CVE-2025-48572Both were labeled as high severity. The company acknowledges that these vulnerabilities were being exploited in limited and highly targeted attacks, something typically associated with advanced surveillance campaigns or high-value targets, rather than mass attacks.
Google has not provided all the technical details for security reasons, but it has clarified that CVE-2025-48633 permits the unauthorized disclosure of informationIn other words, it makes it easier for an attacker to access data that should remain protected. For its part, CVE-2025-48572 is related to the elevation of privileges, a type of vulnerability that can give an attacker more control over the device than a normal application should have.
In addition to these two zero days, the bulletin includes a critical denial-of-service (DoS) vulnerability, CVE-2025-48631, located in the Android frameworkA failure of this type can cause the system to become unresponsive, freeze, or enter reboot loops, significantly impacting the availability and stability of the terminal.
The report also mentions four more critical kernel vulnerabilities, registered as CVE-2025-48623, CVE-2025-48624, CVE-2025-48637 and CVE-2025-48638All of these problems are related to privilege escalation, which is especially serious because it occurs at the core of the operating system and can open the door to deep and difficult-to-detect attacks.
Manufacturers and components affected
The fixes are not limited to code developed directly by Google. The bulletin states that Some of the 107 faults are found in closed third-party components, such as those included by manufacturers of processors and connectivity solutions widely used in the Android ecosystem.
Specifically, the following have been resolved two vulnerabilities in Arm components, 17 in MediaTek pieces, 11 flaws in Qualcomm components y 13 vulnerabilities in Unisoc chipsThese providers supply hardware and firmware to a wide variety of mobile phone brands, so the fixes affect devices across very different ranges and manufacturers.
According to available information, The affected Android versions range from Android 13 onwardsThis affects a huge number of active mobile devices. Given the market share of these versions, we're talking about billions of potentially vulnerable devices if they don't apply the patch.
Google structures updates into two patch levels: 2025-12-01 and 2025-12-05The first typically includes basic system and framework fixes, while the second adds more specific kernel and vendor-specific component fixes. In practice, the user sees a single update, but vendors can integrate these levels in stages to expedite deployment.
Impact on users in Spain and Europe
In day-to-day life, the main risk for European users is that, if the phone is not updated with the December patch, may become the target of highly targeted attacks capable of stealing sensitive information or taking deeper control of the device.
Information disclosure failures can allow an attacker to gain access to personal data, credentials, application content, or memory fragments which should be protected. A privilege escalation issue, meanwhile, can facilitate the installation of malware with elevated permissions, the disabling of security measures, or more subtle spying on the device.
In Spain and the rest of the European Union, where the use of mobile banking servicesHealthcare and electronic administration are very widespread, Exploiting these flaws could have a special impactA compromised phone not only puts personal photos or conversations at risk, but also financial transactions, dealings with public agencies, or two-factor authentication.
Google emphasizes that these zero days have been used in "limited and segmented" attacksThis term is usually associated with advanced surveillance operations rather than massive malware campaigns. Industry reports indicate that similar vulnerabilities have been exploited in the past by spyware vendors such as NSO Group, Candiru, and Intellexa, which specialize in sophisticated interception tools.
How the patch arrives on Android phones
On Pixel phones, which are managed directly by Google, Security updates usually arrive in the first few days of the monthIn the case of Spain, users of these devices receive the patch via OTA (over-the-air update) without needing to perform any additional procedures, beyond accepting the download.
For the other manufacturers present in Europe, such as Samsung, Xiaomi, OPPO, OnePlus, Motorola or realme, The rollout schedule depends on each make and model.Flagship phones and the latest mid-range phones are usually the first to receive monthly patches, while older or entry-level devices may take several weeks, or even lose support if they have reached the end of their update cycle.
It is important to note that many European manufacturers group together security patches and minor system improvements in a single update, so the user can see a single package that includes interface changes, minor bug fixes and, at the same time, the Android patch level corresponding to December.
Those with a phone that is no longer supported—something common after several years of use—are in a more precarious position: the device retains its functions, but stop receiving solutions to vulnerabilities of this typeIn such cases, it is advisable to take extra precautions and seriously consider switching to a model that does continue to receive patches.
Recommendations for protecting your mobile phone
Beyond Google's own patch, There are a number of basic measures, such as performing backupwhich can reduce the impact of these vulnerabilitiesespecially while the update is not yet available or on devices with limited support.
- Manually check for updates in the Settings menu > System > System update (or equivalent depending on the manufacturer's layer) and apply any available security patches from December.
- Keep all applications updated from Google Play, as some providers distribute additional fixes through Google Play Services and other system components.
- Avoid installing APK files from unverified sourcesThis reduces the likelihood of introducing malicious software that attempts to exploit privilege escalation or information leak vulnerabilities.
- Review permissions of the apps already installedpaying special attention to access to SMS, calls, contacts, microphone, camera, location and internal storage.
On devices that no longer receive official patches, it is recommended limit its use for particularly sensitive operationssuch as mobile banking or transactions involving highly private data. It can also be useful to use security solutions with a proven reputation, always accompanied by prudent use of the device.
Google's December newsletter reflects the extent to which Security on Android is a continuous and complex process.This vulnerability, which includes flaws of varying severity distributed across the system, kernel, and components from multiple manufacturers, has been patched. The correction of over one hundred vulnerabilities, including two zero-day exploits and several critical ones, strengthens the protection of millions of mobile devices, but also underscores the importance of installing updates as soon as they are available and maintaining prudent usage habits to reduce the scope for potential attackers.
