Google urges Android users to update their phones to combat takeover flaw

Published: 6 May 2026
Last updated: 7 May 2026
Android flaw
Image by Cybernews.

Google is urging Android users to update now after discovering a critical flaw that could allow attackers to compromise their devices without needing extra permissions or user interaction.

The bug, tracked as CVE-2026-0073, has been patched in Google’s latest security update.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News
Google News Follow us
ADVERTISEMENT

However, protection depends on device manufacturers pushing the fix to users – meaning many Android owners will need to check manually and update their software to be fully protected.

The vulnerability affects recent versions of Android, specifically Android 14, 15, and 16 (including newer interim releases), and can be fixed with the May 1st 2026 security update.

Bug could lead to phone takeover

What makes this vulnerability concerning is that it has been given a zero-click rating (no phishing attacks or social engineering is required), meaning the bug has been labeled “critical.”

According to Google’s Android security bulletin, the bug affects the core part of the Android operating system.

Curious what others think about this story? Contribute your thoughts to the debate below.

Vulnerabilities at this level are particularly serious because they sit beneath apps and user controls and can affect the entire device.

ADVERTISEMENT

According to Google, the issue could be exploited by an attacker in close proximity or on the same network as the target device.

“The vulnerability in this section could lead to remote (proximal/adjacent) code execution as the shell user, with no additional execution privileges needed. User interaction is not needed for exploitation,” the company said in its advisory.

Developer feature exposed

The weakness lies in Android Debug Bridge (ADB), a built-in feature that allows developers and engineers to communicate with a device from a computer.

While ADB is not intended to be exposed in everyday use, the flaw could allow attackers to access it in ways that open a path.

Android 15 update
The vulnerability affects recent versions of Android, specifically Android 14, 15, and 16. Users urged to update now. Image by tomeqs | Shutterstock

Adam Boynton, senior enterprise strategy manager at Jamf, said this developer tool was clearly never meant to be exposed or accessible on live devices in a way that attackers could exploit.

“May’s Android security bulletin is light in volume but notable in shape. The single critical issue, CVE-2026-0073, allows remote code execution with no user interaction required, exploiting a debug interface that should never have been a production attack surface.

The security expert added that the flaw reflects a pattern seen in more advanced forms of mobile surveillance.

“It is the same architectural pattern commercial spyware operators have built mobile exploit chains on for years: system-level access, no user action, no obvious indicator.”

Adam Boynton, security expert, Jamf.
ADVERTISEMENT

Limited visibility for users, the best thing to do is update

Because the vulnerability does not require hackers to interact with users or trick them into clicking links or downloading apps, it is hard for users to avoid these types of threats.

Boynton said the only protection depends on ensuring devices are kept up to date and, for high-target users, monitored at the system level.

“The defenses that work are device-level, including visibility into what is running, enforcement of patch state, and the recognition that the phone in an executive’s pocket is as much of an enterprise endpoint as the laptop on their desk,” he said.

No known exploitation, but concerns remain

Google said it was not aware of any active exploitation of CVE-2026-0073 at the time of disclosure, although the company has faced a series of recent security issues affecting Android.

In March, it confirmed that a separate flaw, CVE-2026-21385, had been actively exploited. That flaw, affecting the Qualcomm graphics component, could allow access to sensitive data stored in memory. Google did not disclose details of those attacks.

Has your password leaked?

Enter your password to check if it has leaked. Having a leaked password creates the risk of identity theft, financial damages, and worse!
35,607,543,468
Exposed Passwords
Ad
Protect your personal information from cybercriminals and get 50% off the top-rated password manager
Learn More
link_title link_title

Google said it would release source code fixes for CVE-2026-0073 to the Android Open Source Project (AOSP) within 48 hours of this month’s bulletin, which was published on Monday. This should enable device manufacturers to incorporate the patch in their own updates.

As with previous releases, Pixel devices are expected to receive the first update, with other manufacturers, including Samsung, rolling out patches on a staggered basis.

ADVERTISEMENT

The advice is to install updates on these devices as they become available.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked