Government of India warns of high-risk vulnerabilities of 3.9 billion Android devices

India’s cybersecurity watchdog, the Indian Computer Emergency Response Team (CERT-In), has issued a high severity alert warning Android users of multiple vulnerabilities across Android 13, 14, 15, and 16.

Published on September 3, 2025, the advisory details flaws that could allow attackers to gain elevated privileges, steal sensitive data, execute arbitrary code, or cause denial of service attacks on devices.

The vulnerabilities affect key components of the operating system, including the Framework, Android Runtime, System, Widevine DRM, Project Mainline, and the Kernel.

Hardware specific components developed by ARM, Imagination Technologies, MediaTek, and Qualcomm are also impacted. Because both open source and closed source modules are vulnerable, the issue is widespread, cutting across a large portion of the global Android ecosystem.

CERT-In has classified the flaws as high severity, warning that exploitation could compromise user privacy and system stability.

In practice, this means attackers may be able to access personal information, escalate privileges, disrupt services, or even render devices temporarily unusable. For the average user, the risk translates into potential data theft, service disruption, or exposure to malware.

The agency stressed that the vulnerabilities impact not only smartphones but also tablets, smartwatches, and other Android powered devices.

This makes the advisory relevant to a wide range of consumers and enterprises, especially given Android’s dominant market share worldwide.

CERT-In has urged device manufacturers and end users to immediately apply the latest security patches provided by Google.

The September 2025 Android Security Bulletin contains detailed fixes and should be implemented without delay. Users are further advised to keep their devices updated, enable automatic security updates where possible, and avoid downloading apps from unverified sources to minimize exposure.

This warning highlights the recurring challenges of securing an operating system as widely deployed as Android. Given the platform’s global presence, even a single unpatched vulnerability can affect millions of users. Cybercriminals often move quickly once advisories are published, making timely updates essential to reduce risk.

The latest advisory is a reminder that maintaining security is a shared responsibility.

Google and OEMs must deliver patches swiftly, and users must ensure updates are applied on their devices. With CERT-In raising the alarm and marking these flaws as high risk, updating devices immediately is the most effective defense.