All Android users placed on red alert as 'critical' phone issue discovered
Android users must watch out for an update that fixes a critical phone bug.
If you have an Android phone in your pocket, you might want to pay close attention to any updates that are released in the coming days. It's been confirmed that a worrying bug has been found that could allow hackers to target users and compromise devices.
What makes this new attack more concerning is that it has been given a zero-click rating. For those not in the know, this basically means cybercriminals can hack Android phones without requiring any user interaction. So, there's no need to get people to click on links or download files.
"This Android Security Bulletin contains details of security vulnerabilities that affect Android devices," Google explained.
"The vulnerability in this section could lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation."
The flaw, called CVE-2026-0073, is so serious that it has been given a critical rating by Google.
So, it's not something anyone should ignore.
Anyone with an Android device should now check their settings and ensure their device is fully up to date with the latest software. Pixel phones will be the first to get the changes, with other manufacturers such as Samsung expected to release their own patches soon.
Explaining more about the concern with this update, Adam Boynton, Senior Enterprise Strategy Manager at security firm Jamf, said: “May’s Android security bulletin is light in volume but notable in shape. The single critical issue, CVE-2026-0073, allows remote code execution with no user interaction required, exploiting a debug interface that should never have been a production attack surface. It is the same architectural pattern commercial spyware operators have built mobile exploit chains on for years: system-level access, no user action, no obvious indicator.
"The takeaway cuts against a decade of mobile security investment. User awareness training does not defend against a vulnerability that requires no user interaction. The defences that work are device-level, including visibility into what is running, enforcement of patch state, and the recognition that the phone in an executive’s pocket is as much of an enterprise endpoint as the laptop on their desk.”
