Google has confirmed that more than a billion Android devices are at risk due to security vulnerabilities that will never be patched. The company recently warned about two exploited flaws—CVE-2025-48633 and CVE-2025-48572—that could allow attackers to access sensitive data or gain elevated system privileges.
While Google has issued fixes for devices running Android 13 through 16, over 30% of Android phones still operate on Android 12 or earlier, leaving them permanently exposed. Even for supported devices, updates can take time to reach users because OEMs need to integrate patches, and many users delay installation.
Cybersecurity experts highlight the growing threat. Zimperium notes that more than half of mobile devices each year run outdated software, increasing their vulnerability to attacks. BeyondTrust’s James Maude warns that what starts as targeted attacks could quickly evolve into widespread exploits.
Google has also introduced security and privacy updates in its latest Play Store releases, including warnings for apps that fail Play Protect verification and enhanced controls over data collection and personalization. However, these updates are delayed for some devices, particularly older Samsung models.
Android’s Advanced Protection Mode, which offers additional safeguards against scams, theft, and other threats, is not enabled by default on many devices, even those running the latest Android 16. Security analysts argue that broader adoption of this feature could help narrow the security gap with Apple devices, where system updates reach nearly all users simultaneously.
The situation highlights a fundamental challenge in Android’s fragmented ecosystem: while new features and security fixes are available, a significant portion of users remains vulnerable, underscoring the need for more comprehensive support or alternative mitigation
