Wednesday, May 7, 2025
Latest:
News

Google Urges Urgent Android Update as Zero-Day FreeType Bug Spreads Without a Tap

HackAcademy

Google has issued an emergency security patch for billions of Android devices after confirming that attackers are already exploiting a “no-user-interaction” vulnerability tracked as CVE-2025-27363. The flaw, hidden inside the FreeType font-rendering engine shipped with Android, lets malicious code run the moment a booby-trapped font is processed—no tap, download or other action required.

What the bug does

FreeType handles everything from emoji to app icons. A bounds-checking error in versions 2.13.0 and earlier allows an attacker to overwrite memory while parsing advanced TrueType GX or variable-font tables. Successful exploitation grants the intruder the same privileges as the app that loaded the font, a foothold often good enough to implant spyware or steal data. Because fonts are rendered by many system components—including messaging apps and browsers—simply receiving a crafted message or opening a compromised web page can trigger the attack.

Exploitation already in the wild

Security teams have flagged live attacks and raised the vulnerability’s severity score to 8.1 (High). Google calls the exploitation “limited and targeted,” but history shows that once proof-of-concept code circulates, broader campaigns tend to follow quickly.

Who is at risk?

Any handset, tablet or wearable running Android that has not yet received the May 2025 security update is vulnerable. Google-branded Pixel phones began receiving the patch over-the-air on Monday night, while Samsung, OnePlus and other vendors are expected to include it in their next monthly releases. Older models stuck on out-of-support firmware may remain exposed.

How to protect yourself

  1. Check your patch level
    Open Settings › About phone › Android version and look for Security patch level: 2025-05-05 (or later).

  2. Install updates immediately
    If the update hasn’t arrived, tap System update and manually check, or connect to Wi-Fi and try again in 24 hours.

  3. Limit sideloading
    Google Play Protect can only scan apps installed through official channels. Until patched, avoid sideloading APKs or using third-party stores.

  4. Update browsers
    Because exploitation can occur via web content, keep Chrome, Firefox, Brave and any other browsers fully up to date as well.

The bigger picture

CVE-2025-27363 is Google’s fifth Android zero-day of 2025 and the second in three months that required no user action. Last year, the company catalogued 75 such zero-days across its ecosystem—an all-time high. The FreeType flaw highlights an uncomfortable trade-off: rich typography features add eye-candy but expand the attack surface.

With state-sponsored actors increasingly chaining zero-days to bypass sandboxing and SELinux, timely patching remains the best defence. For end-users, that means hitting ‘install’ the moment the update lands; for device makers, it means shortening the lag between Google’s bulletin and handset-level roll-outs.

Bottom line

If your Android device’s security patch level is dated before 5 May 2025, assume you are a target and update now. One poisoned font is all it takes.

Leave a Reply

Your email address will not be published. Required fields are marked *