Google has rolled out critical patches for 62 security vulnerabilities in its April 2025 Android Security Bulletin, including two zero-day exploits actively weaponized in targeted attacks. The fixes come amid revelations that Serbian law enforcement agencies leveraged a sophisticated exploit chain—developed by Israeli forensics firm Cellebrite—to bypass security on seized Android devices.

Exploit Chain Tied to Law Enforcement Unlocks Devices

The most severe flaw, tracked as CVE-2024-53197, is a high-severity privilege escalation bug in the Linux kernel’s USB-audio driver (ALSA). According to Amnesty International’s Security Lab, Serbian authorities used this vulnerability as part of a multi-layered exploit chain to unlock devices confiscated during investigations.

The chain also included two previously patched zero-days:

• CVE-2024-53104 (USB Video Class flaw, fixed February 2025)
• CVE-2024-50302 (Human Interface Devices flaw, patched March 2025)

Amnesty uncovered the exploits in mid-2024 while analyzing logs from devices unlocked by Serbian police. Google confirmed it had shared fixes for these vulnerabilities with OEM partners in January 2025, ahead of public disclosure.

“We were aware of these vulnerabilities and the exploitation risk prior to these reports. Fixes were shared with OEMs in a partner advisory on January 18,” a Google spokesperson stated.

Second Zero-Day Leaks Sensitive Device Data

The April update also addresses CVE-2024-53150, an Android Kernel information disclosure vulnerability allowing local attackers to siphon sensitive data via an out-of-bounds read flaw. Exploitation requires no user interaction, heightening risks for unpatched devices.

March 2025 Patches: 60 Flaws Fixed

Last month’s security update resolved 60 additional vulnerabilities, predominantly high-severity privilege escalation bugs. Google has now issued two patch batches for April:

1. 2025-04-01: Framework and system component fixes.
2. 2025-04-05: Kernel and third-party closed-source driver patches.

While Pixel devices receive updates immediately, OEMs like Samsung and Xiaomi face delays due to testing and hardware customization. Experts warn fragmented rollouts leave millions of devices exposed.

Serbian Government’s Spyware History

This marks the second time in six months Serbian authorities have been tied to Android exploits. In November 2024, Google patched CVE-2024-43047, a zero-day used in NoviSpy spyware attacks targeting activists, journalists, and protesters.

• Pixel users: Install updates immediately via Settings > Security.
• Non-Pixel Android users: Monitor OEM advisories; delays expected.
• Enterprise teams: Prioritize patch deployment amid heightened state-sponsored threats.

Google’s continued transparency underscores the escalating arms race between tech giants and forensic exploit vendors. As Cellebrite’s tools proliferate globally, timely updates remain the frontline defense for Android’s 3.5 billion users.