CVE-2025-48572

What is the Android Framework?

The Android Framework is the core Java/Kotlin runtime layer that manages application lifecycle, inter-process communication, system services, and permission enforcement on Android devices. It includes critical security controls like background activity launch restrictions — which prevent apps from unexpectedly starting activities (UI screens) in the foreground when they should not be visible — to prevent UI-spoofing, overlay, and social engineering attacks against users.

Overview

CVE-2025-48572 is a missing authentication / missing access control vulnerability (CWE-306) in the Android Framework that allows a locally-installed app with standard user privileges to bypass Android's background activity launch restrictions. By exploiting missing checks in multiple Framework locations, an attacker's app can launch privileged or system UI activities that should be restricted by Android's permission model, enabling local privilege escalation. Google confirmed limited targeted exploitation — language consistent with spyware or commercial surveillance tool usage.

Affected Versions

Technical Details

Android's background activity launch (BAL) restrictions are a security mechanism that prevents apps from starting new activities (UI screens) when they are in the background — preventing phishing overlays and unauthorized UI access. CVE-2025-48572 exploits missing authentication or missing access control checks (CWE-306) at multiple points in the Framework's activity management code path.

By bypassing BAL restrictions, a malicious app can:

• Launch system settings activities to grant itself additional permissions
• Display phishing overlays on top of legitimate apps
• Access system-privileged UI components not normally reachable by third-party apps

The vulnerability is local (AV:L) — the malicious app must be installed on the device — but requires only standard low-level user privileges (PR:L) and no user interaction to trigger (UI:N), meaning it can activate silently in the background.

Discovery

Discovery details not publicly attributed. Google's "limited, targeted exploitation" language suggests government or commercial spyware operator attribution, consistent with other Android zero-days in 2025.

Exploitation Context

CISA added CVE-2025-48572 to the KEV catalog on December 2, 2025 — the same day as the Android Security Bulletin — confirming active exploitation before disclosure. Google's December 2025 bulletin also patched CVE-2025-48633 (an information disclosure vulnerability) alongside CVE-2025-48572, suggesting they may be part of the same attack chain.

Remediation

1. Apply Android December 2025 security patches (patch level 2025-12-01 or later) on all Android 13–16 devices immediately. The CISA deadline was December 23, 2025.
2. Pixel devices receive patches directly from Google. OEM devices (Samsung, OnePlus, etc.) may receive patches with delays — check your manufacturer's security bulletin.
3. Enterprise managed devices: use MDM/EMM to enforce minimum Android patch level policies.
4. Review installed apps for unfamiliar applications with unusual permissions, particularly apps installed from outside the Play Store.
5. Enable Google Play Protect and ensure it is kept current for detection of known malicious apps.
6. Apply companion patch CVE-2025-48633 if not already included — both vulnerabilities were patched in the same December 2025 bulletin.