The company confirmed that two high-severity vulnerabilities, tracked as CVE-2025-48633 and CVE-2025-48572, are being exploited in targeted attacks linked to mercenary spyware.

While patches have been released, they only apply to devices running Android 13 through Android 16.

That leaves more than 30 per cent of Android phones - over one billion devices - permanently unprotected.

The flaws sit within Android’s framework and can be triggered remotely without requiring elevated privileges.

Google has said there are “indications” the vulnerabilities are already being used in the wild, and history suggests such exploits rarely stay limited for long.

Once weaponised more broadly, they can be chained with other bugs to enable deeper compromise.

The core issue is fragmentation, as Android updates must pass through manufacturers, many of which take weeks - or months - to roll them out.

Even users with supported phones can be left exposed during that delay.

For those still running Android 12 or older, however, there is no update coming at all.

Mobile security firm Zimperium has warned that more than half of smartphones worldwide are typically running outdated software at any given time, making them prime targets as attacks accelerate.

By comparison, Apple’s tightly controlled update model means roughly 90 per cent of iPhones are running supported versions of iOS.

Google is urging users to install security updates as soon as they become available and to seriously consider upgrading if their device is no longer supported.