The zero-day, tracked as CVE-2025-27363, resides in the System component and stems from a memory handling bug in FreeType — an open-source library widely used for font rendering. The flaw allows for local code execution without requiring additional privileges or user interaction. According to Facebook’s security team, which first disclosed details about the vulnerability in March 2025, attackers can exploit the issue through malformed TrueType GX or variable font files, leading to heap buffer overflows and potentially arbitrary code execution. While the vulnerability was fixed in FreeType 2.13.0 over two years ago, older versions remain embedded in many Android builds and third-party software, making the risk of exploitation significant.

Google has acknowledged signs of limited, targeted exploitation of CVE-2025-27363 in the wild, reinforcing the urgency for users and OEMs to apply the update. Devices patched with the 2025-05-05 security level will receive a fix for this vulnerability, along with all other patches from earlier levels.

Beyond the zero-day, the May 2025 bulletin addresses over 40 high-severity vulnerabilities affecting Android components such as the Framework, System, kernel, and key third-party hardware modules from Arm, MediaTek, Qualcomm, and Imagination Technologies.

Android device manufacturers are expected to incorporate these fixes into their firmware. Devices running Android 10 and later will receive some of these patches through Google Play system updates, covering components like the Wi-Fi stack, Permission Controller, and Documents UI. However, it is recommended that users of older models move to a newer device running Android version 13 or later. For some models, third-party Android distributions like GrapheneOS and LineageOS exist, which might provide security in aging devices.

Desktop Archive.

• Google is working on an Intrusion Detection system for Android, according to a teardown of the Play Services app.
• The system will collect a log of your device/network activities that can be accessed if you notice suspicious activity across your account or devices.
• Google’s code suggests this log is end-to-end encrypted and can only be accessed with your Google account password and device authentication.

Summary

• Google Messages is rolling out an Unsubscribe button to combat spam.
• Pressing the button sends a 'STOP' message from the user to the sender, blocking non-essential texts.
• The Unsubscribe button is available for RCS for business messages and texts from short codes.

cross-posted from: https://lemmy.world/post/29027083

cross-posted from: https://lazysoci.al/post/25674504

he F-Droid app was created in 2009 in the early days of Android and lots of its code is still that old. While the ecosystem has seen many drastic shifts, the F-Droid community heroically kept the app alive with band aids and chewing gum.

Therefore, we are especially thrilled to announce that the Mobifree programme of the Next Generation Internet initiative agreed to fund this monumental effort. With their support, we aim to modernize the F-Droid app with a focus on the user interface to make the app easier to use and more appealing especially for new users. At the same time, the modernization should make it easier and more attractive to contribute to the app while also making it easier for the maintainers to review and merge external contributions due to better test coverage and less code entanglement.

The rewrite will be exclusively in Kotlin and use Compose for the UI while using modern architectural patterns that will make the app easier to maintain and more fun to contribute to. It will also allow for a responsive UI that adapts to the available screen size, be it a phone, a foldable, a tablet or even a desktop screen

cross-posted from: https://lemmy.world/post/28834572

cross-posted from: https://lazysoci.al/post/25427139