Project Zero (Google's security research team) found a remotely exploitable vulnerability impacting Google Messages and reported internally back in June 2025 but the team at Android still have not fixed for the stock OS. People can have their device remotely exploited and taken over without any interaction from the victim with a known vulnerability.
https://project-zero.issues.chromium.org/issues/428075495
Another win for us, but truthfully, users shouldn't have to install a third party operating system like #GrapheneOS to have protection against such a thing. Any responsible team would have patched by now. iOS would have.
The same applies to getting security patches when they are created. An embargo of up to three months for vulnerability information and patches is unacceptable. We have patches scheduled for March 2026 coming in our security preview releases while most OEMs are just following the monthly Android Security Bulletins.
Google's ongoing layoffs and recent misguided changes to the security update model have significantly reduced stock Android security.
