Android December 2025 Security Bulletin: DFIR impact and fleet actions

Google published the Android Security Bulletin for December 2025 with patch levels 2025-12-01 and 2025-12-05. The most severe issue is a critical Framework vulnerability that enables remote denial of service; Google also notes two CVEs under limited, targeted exploitation. Source code patches land in AOSP within 48 hours of publication, then vendors integrate and ship updates. Verify exposure by checking each device’s reported patch level. (Android bulletin, Dec 1, 2025; Google Support: check patch level)

Intrusion Flow

• Initial effect: A crafted trigger can crash or stall Framework components, producing device unresponsiveness, ANR dialogs, or forced restarts indicative of a remote DoS. The bulletin calls out a critical Framework DoS (CVE-2025-48631) and flags CVE-2025-48633 and CVE-2025-48572 as possibly exploited in limited, targeted attacks. (Android bulletin)
• Secondary effects: Subsequent instability may surface as native crashes (tombstones) or ANR traces. Android stores ANR traces under /data/anr and records native crash “tombstones,” both captured in bugreports and written to disk. (ANR traces; Diagnose native crashes; Read bug reports)
• Patch scope: 2025-12-01 covers Framework/System and other platform fixes; 2025-12-05 adds kernel items including critical EoP in pKVM/IOMMU (for full coverage, target 12-05 fleet-wide). (Android bulletin)

Key Artifacts to Pull

• Fleet exposure evidence
  • Security patch level on-device and over ADB:

    adb shell getprop ro.build.version.security_patch    # e.g., 2025-12-05
    adb shell getprop ro.vendor.build.security_patch     # vendor partition patch
    

    The system patch level is also accessible via Build.VERSION.SECURITY_PATCH for app-side checks. The vendor patch property is defined in Android build/SEPolicy. (Build.VERSION.SECURITY_PATCH; ro.vendor.build.security_patch in build system; SEPolicy property type)
• Crash and hang evidence
  • Bugreport (captures dumpsys, dumpstate, logcat, ANR/tombstones snapshots):

    adb bugreport ./bugreport.zip
    

    Then parse the zip’s top-level bugreport-*.txt for ANRs and system_server issues. (Capture & read bug reports; Read bug reports)
  • ANR traces (root or userdebug builds):

    adb root
    adb shell ls /data/anr
    adb pull /data/anr/<anr_file>
    

    Newer Android uses multiple /data/anr/anr_* files; older versions keep /data/anr/traces.txt. (ANR traces)
  • Native crash tombstones:

    adb root
    adb shell ls /data/tombstones
    adb pull /data/tombstones/tombstone_*
    

    Tombstones are generated by debuggerd and summarized in bugreports. (Diagnose native crashes)
  • DropBox (system crash log queue) for tags like SYSTEM_TOMBSTONE and system_server_native_crash:

    adb shell dumpsys dropbox | grep -i "tombstone\|system_server_native_crash"
    

    DropBoxManager stores crash text under /data/system/dropbox; BootReceiver copies tombstone content into DropBox and emits the special system_server_native_crash tag. (DropBoxManager API; BootReceiver handling of tombstones and tag; SEPolicy type for /data/system/dropbox)

Detection Notes

• Symptom-driven: Look for spikes in ANR events and repeated system_server crashes or restarts around suspected attack times. Bugreports contain VM TRACES AT LAST ANR, logcat sections, and DropBox entries you can correlate by timestamp and PID. (Read bug reports; Keep apps responsive / ANR triggers)
• EMM/MDM compliance: Enforce a minimum Android security patch level policy so noncompliant devices can’t access corporate resources until updated. In Microsoft Intune and Graph, use minAndroidSecurityPatchLevel in Android compliance policies. (Graph v1.0 androidCompliancePolicy; Graph beta androidDeviceOwnerCompliancePolicy)
• Store protections: Google Play Protect continuously scans apps and helps flag PHAs, reducing opportunistic abuse. Verify Play Protect is enabled on GMS devices if your policy allows user apps. (Google Play Protect)

Response Guidance

• Prioritize patch deployment
  • Target 2025-12-05 for complete coverage (includes kernel items) across supported devices; 2025-12-01 addresses Framework fixes including the critical DoS. (Android bulletin)
  • Track fleet progress by querying patch level via EMM inventory or ADB for field audits. (Google Support: check patch level; Build.VERSION.SECURITY_PATCH)
• Suspected exploitation triage (targeted cases)
  • Immediately capture a bugreport from the device before reboot cycles roll logs. Pull /data/anr and tombstones when permissible, and export relevant DropBox entries. (Capture & read bug reports; ANR traces; Diagnose native crashes; DropBoxManager API)
  • Correlate crash times with user activity and inbound events (SMS/MMS/app traffic) if available. Use VM TRACES AT LAST ANR and any system_server_native_crash entries to pinpoint affected subsystems. (Read bug reports; BootReceiver tag)
• Enterprise policy
  • Enforce a minimum security patch level in compliance policies (e.g., >= 2025-12-05) and block access for out-of-date devices until remediated. (Graph v1.0 androidCompliancePolicy)
  • Communicate that AOSP links are posted within 48 hours after bulletin release; OEM delivery cadence varies by device and carrier. (Android bulletin; Google Support: update schedules vary)

Takeaways

• Inventory and gate: Require 2025-12-05 where possible; monitor stragglers. (Android bulletin)
• Collect early: Bugreport + /data/anr + tombstones + DropBox give the best signal for DoS/ANR patterns. (Capture & read bug reports; ANR traces; Diagnose native crashes; DropBoxManager)
• Automate compliance: Use EMM policies with minAndroidSecurityPatchLevel to prevent access from unpatched devices. (Graph v1.0 androidCompliancePolicy)
• Keep Play Protect on to reduce opportunistic app-borne abuse while you roll patches. (Google Play Protect)