June 2026 Android Security Bulletin notes CVE-2025-48595 is being exploited in the wild. It's being widely misreported in tech media as a 0-day vulnerability being exploited. That's a major misunderstanding of Android Security Bulletins and how poorly OEMs keep up with patches. Google disclosed CVE-2025-48595 to OEMs in a security preview release near the end of September 2025. Those patches are allowed to be shipped right away, so it was included in our 2025092501 release. We noted it was already publicly fixed so it was added to our regular releases too in 2025100300. We quickly shipped the patch after it was disclosed to OEMs by Google but we plan to do better in the future. SQLite 3.44.5 was released with this backport on 2025-07-24. We weren't previously aware SQLite maintained upstream LTS branches for Android but our plan is to closely follow those now. In this case, Google slipped up and took 2 months to add the patch to the security preview releases. We plan to avoid that in the future by handling this ourselves because this happens too often. It's also a nice example of how Android Security Bulletins are set extremely low expectations for OEMs. #GrapheneOS quickly ships all security preview patches. Every AOSP patch included in the Android Security Bulletins was already available in GrapheneOS for over a month. We end up shipping patches 2-3 months earlier. Google having such low expectations for OEMs and even themselves is ridiculous. Android's security patch system doesn't make any sense and is completely at odds with how quickly people can discover and exploit vulnerabilities with the help of LLMs. The security preview release system would be far more reasonable if the embargo for sources and details was no more than 48 hours. Google's embargo system harms security for nearly all Android users by setting the expectation of patches taking 2 to 6 months for OEMs to ship after disclosure. Patches are available to sophisticated attackers as soon as Google discloses them to OEMs. A partial embargo for months makes no sense.

If you downloaded Telegram from a site called APKPure recently, congrats: You downloaded an infostealer and all of your conversations were being logged to some guy's server. C2: 38[.]190[.]225[.]166 SHA256: 7d44e0009d251ae4983f5bf29f7d8aa9af668df88dba05a17a7a314f6780ceff

MalwareBazaar | Checking your browser

>Add Silent Payments (SP) receiving wallets, including support for airgapped hardware wallet signers View quoted note →

To also be pushed into the latest GrapheneOS release! View quoted note →

This is the first release of our Speech Services text to speech engine. This introduces text to speech in the OS for apps that call for OS TTS. Please feel free to test this as the first users so it can be improved for future releases. Please note that only English (US) is available for this first release but others will be implemented in the future. Since this is a text to speech engine and not a standalone application, you have to enable this in Settings > System > Language & Region > Speech > Text to speech output > Preferred engine. Eventually this will be default. If an app calls for OS text to speech, for example Organic Maps/CoMaps, it will use it there. View quoted note → #GrapheneOS

#GrapheneOS Speech Services, a high quality on-device text to speech engine built with open source models and training data is now available in the GrapheneOS App Store.

I think this is probably considered a hot take here but the quality of feature implementation matters far more than the implementation of a feature itself.

I have no comment on on-chain zaps. Likely won't use them or they just go sweep to the GrapheneOS Foundation. You can use Silent Payments for me though: sp1qqtdguesl4e507rt9m0pwfxvwxh2wf9c74pk9v4dclnf8agxe5vwq6qml9d4h6gz0vwf3dhgvznmvpu4z0gnfr33mr5wzmlcuxpqnturehvypr803