Patchday: Critical malicious code vulnerability threatens Android 14, 15, and 16
Malicious code can slip onto Android devices through a faulty debugging module. Google has now closed the critical vulnerability.
Google Android Bugdroid in front of lock symbol.
(Image: Primakov/Shutterstock.com)
To prevent attacks on smartphones and tablets with Android 14, 15, 16, and 16qpr2, owners of devices still under support should install the latest security update. In addition to Google's Pixel series, it is also available for selected devices from Samsung, among others (see box).
Support for Android 13 ended in March of this year, and this version has not received security patches since then. Millions of devices are affected by this.
Smartphones compromisable
If attackers exploit a –critical– security vulnerability (CVE-2026-0073) in the adbd debugging module, they can remotely execute malicious code, the developers explain in a warning message. Typically, systems are then considered fully compromised. How such an attack could occur is currently unclear. So far, there are no indications from Google that attackers are already exploiting the vulnerability. The developers state that they have resolved the security problem in Patch Level 2026-05-01.
Videos by heise
In July 2025, Google decided to only close security vulnerabilities deemed particularly dangerous according to its assessment on the monthly Android Patchday. Further patches have followed quarterly since then.
(des)
