Google’s June 2026 Android update fixes 124 security flaws, and one of them is already being used in real attacks. The bug, tracked as CVE-2025-48595, sits in the Android Framework — the core plumbing every app talks to. It lets a malicious app quietly raise its own privileges and potentially take full control of the phone, with no tap needed beyond installing that app. It affects Android 14, 15, 16 and 16-QPR2.

Phones and tablets aren’t side devices anymore. They hold your email, Microsoft 365 logins, MFA codes, VPN access and — for a lot of cafés, restaurants and shops — the POS or booking app. A privilege-escalation flaw like this means an attacker who lands one dodgy app on a staff device could harvest passwords, intercept those MFA prompts and reach company data. Bring-your-own-device setups make it harder again, because you often can’t see whether someone’s personal phone is up to date.

So do this today: update every Android device to the June 2026 patch level (dated 2026-06-05 or later). On the device, that’s Settings > System > Software update, then check the "Android security update" date. If you run a mobile device manager like Intune, push the update now and consider blocking app installs from outside the Play Store. Any phone too old to still receive security updates should be retired — it simply won’t get this fix.

If you’re not sure which of your team’s devices are current, that’s exactly what a managed cybersecurity setup is meant to track. We’re happy to take a look if you’d like a hand.