May begins strongly for Android users and cybersecurity professionals. As usual, Google has published its monthly security bulletin. But this time, a critical vulnerability being actively exploited has slipped into the list, drawing attention well beyond the usual circle of technicians.
At the heart of this bulletin is a flaw identified as CVE-2025-27363. From a technical standpoint, it allows a local application to take control of the system without user interaction and without specific authorization. In simple terms, an attacker who manages to install a malicious application on a vulnerable device can execute code at will. This is not a hypothesis, as Google confirms that this vulnerability has already been exploited by cybercriminals, making it a « zero-day » case—a vulnerability known to attackers even before being patched.
But this is not the only vulnerability addressed in this update. The bulletin covers a series of fixes affecting key system components, starting with the Android framework and the system itself, but also the Linux kernel, graphics drivers, and several modules provided by processor and chip manufacturers (MediaTek, Qualcomm, Arm, among others). Some flaws allowed security policies to be bypassed, others enabled the retrieval of confidential data, and still others granted higher privileges than intended.
What this bulletin particularly illustrates is the growing complexity of security on mobile devices. Android is now a fragmented ecosystem where each manufacturer adapts the system version to their devices, and update timeframes vary greatly from one model to another. To counter this fragmentation, Google deploys certain fixes directly through the Google Play system, allowing faster correction of sensitive elements such as the permission manager or network components.
It’s also worth noting that the bulletin distinguishes between two levels of patches. The May 1st patch fixes the most urgent vulnerabilities, particularly the one being actively exploited. The May 5th patch goes further, adding fixes for the Linux kernel and for specific hardware components. It is, in a way, the second stage of the rocket, aimed at manufacturers and the most exposed users.
For users, the best response remains simple: install updates as soon as they become available. Regularly checking one’s security patch level has become a reflex as essential as updating antivirus software on a computer. And for companies, it’s time to treat mobile device management with the same seriousness as workstations, with a clear update policy, appropriate supervision tools, and raising user awareness about the risks associated with unverified applications.
This May bulletin doesn’t sound an alarm, but it reminds us that security is an ongoing effort. Indeed, attackers advance, defenders do too. And in this balancing act, the speed of applying patches remains one of the most effective weapons.
