The world of cybersecurity can be a funny old place sometimes. In the same week that Mac users were warned that Apple passwords are at risk if they install an update, Android users are now being told their smartphones could be hacked if they don’t. Here’s what you need to know about the “no user interaction required” attacks and what you must do right now to stop them in their tracks.
What Is CVE-2025-27363 And Why Must Android Users Update Now?
Cybersecurity can also be confusing sometimes. Attacks use urgency as leverage, as evidenced by the latest PayPal security alert. Yet vendors and service providers simultaneously urge users to update now. Google security researchers issue detailed technical information about a Windows password-stealing threat, in the same week as Android users are informed that a no user interaction vulnerability is being exploited by attackers in the wild. Zero-day attacks are no stranger to Google, what with it reporting 75 of them last year. The latest, CVE-2025-27363, has been confirmed by Google as it releases a security update to mitigate it.
According to Google, CVE-2025-27363 is a vulnerability that “could lead to local code execution with no additional execution privileges needed.” Critically, Google has also confirmed that “user interaction is not needed for exploitation.” Which is all very bad news, but it gets worse: the attacks against Android users are already underway. “There are indications that CVE-2025-27363 may be under limited, targeted exploitation,” Google warned.
The NIST National Vulnerability Database describes CVE-2025-27363 as being an out of bounds issue in “FreeType versions 2.13.0 and below,” that occurs when “attempting to parse font subglyph structures related to TrueType GX and variable font files.” All you really need to know is that this means an attacker could, under certain circumstances, execute arbitrary code. Well, that, and the small matter of the number of devices that the FreeType software is deployed on across various products, which is more than a billion.
The good news is that the latest Android security updates mitigate the attack risk by applying the necessary patch, assuming your device is eligible for the update. If it is, then I would advise you to apply this particular update as soon as is practically possible.
Read the full article here
