United Kingdom, Dec. 22 -- Google has issued a stark warning that a significant portion of the Android ecosystem is exposed to active security threats - with no fix on the way for millions of users.

The company confirmed that two high-severity vulnerabilities, tracked as CVE-2025-48633 and CVE-2025-48572, are being exploited in targeted attacks linked to mercenary spyware.

While patches have been released, they only apply to devices running Android 13 through Android 16.

That leaves more than 30 per cent of Android phones - over one billion devices - permanently unprotected.

The flaws sit within Android's framework and can be triggered remotely without requiring elevated privileges.

Google has said there are "indications" the vulnera...