Is GrapheneOS affected?

The Forbes link unfortunately doesn't say much about how it works. This link does a little better:

https://github.com/Ashwesker/Blackash-CVE-2025-48633

The text there:

                  ┌──────────────────────────┐
                  │   Attacker (C2 Server)   │
                  └────────┬─────────────────┘
                           │ 1. Delivers malicious APK
                           │    (phishing, fake app store, drive-by)
                           ▼
  ┌─────────────────────────────────────────────────────┐
  │                Victim's Android 15 Phone            │
  │  (Security patch < 2025-12-01 → still vulnerable)   │
  └─────────────────────────────────────────────────────┘
                           │
            ┌──────────────┴──────────────┐
            ▼                             ▼
     User installs & opens       Malicious app runs in background
     "Fake Game / Tool" APK      (no permissions needed for this CVE)
            │
            │ 2. App triggers vulnerable Framework API
            │    (crafted Intent / Binder transaction)
            ▼
     ┌───────────────────────────────────┐
     │   Android Framework (buggy)       │
     │   code in Parcel/Binder handling) │
     └───────────────────────────────────┘
            │
            │ 3. Information Disclosure occurs
            │    → Sensitive data leaked without user interaction
            ▼
     Leaked data examples:
     • Device ID / IMEI
     • Installed app list
     • Account tokens
     • Contacts / SMS snippets
     • Clipboard content
     • Location history fragments
            │
            │ 4. Data silently sent back
            ▼
     ┌───────────────────────────────────┐
     │   Attacker receives stolen data   │
     → Can be sold, used for             │
     └───────────────────────────────────┘        spying, or chained with
                                             other exploits (e.g. CVE-2025-48572)

No fix yet for Samsung. Being reliant on the hardware manufacturer (or network operator?) for OS updates is the crazy world we live in.

This requires user action, right? User needs to install the APK by hand? In other words - if I don't install any crap on my phone I am safe?

While the information leakage/disclosure is a big issue, It feels like its still a big jump to get users to install off-Play Store APKs?

> This [update] was rushed out to all Pixel users.

Pixel 8 here, still don't have the update. That's... not great.

My tinfoil hat might be on too tight again... but the timing of this exploit coinciding with Google's full court press on Android user rights is just a little suspect. Especially after the ongoing public education campaign about the evils of "sideloading" an Android application.

>But in reality, Samsung (and the other Android OEMs) cannot compete with Google and its unique control over hardware and software.

Yes, they can. We are talking about applying provided security patches to source code, and then releasing a new version of their OS. For patches that have existed for months. The time from patch to release should be on the order l of days from receiving the patches to having a validated OS release with the fix being sent to users. It's not the control of Android which makes Google possible to patch their Pixel branch of AOSP faster than Samsung can patch their own. It's that Samsung doesn't care about prompt security fixes so they don't allocate engineers to do the work.

nice list of vulnerabilities and source changes

https://source.android.com/docs/security/bulletin/2025-12-01