A newly patched Android flaw could allow nearby attackers to execute code without a tap, click, or user warning.
Google released a security update for CVE-2026-0073, a remote code execution vulnerability affecting Android System components across Android 14, 15, 16, and 16-QPR2. The company said exploitation requires no user interaction and could allow code execution as the shell user.
The flaw could “… lead to remote (proximal/adjacent) code execution as the shell user with no additional execution privileges needed. User interaction is not needed for exploitation,” said Google in its security advisory.
Inside the Android RCE vulnerability
The vulnerability affects core Android System components across multiple operating system versions, including Android 14, 15, 16, and 16-QPR2, broadening its potential impact across the mobile ecosystem.
Because the flaw can be exploited from the same local network or from close physical proximity, it poses a meaningful risk in enterprise environments, public Wi-Fi networks, and shared-device scenarios.
Organizations with bring-your-own-device (BYOD) programs or a heavy reliance on mobile access to corporate resources face increased risk, especially when patching is delayed or inconsistently enforced across devices.
CVE-2026-0073
CVE-2026-0073 originates from the Android Debug Bridge daemon (adbd), a low-level system service that facilitates debugging and direct communication between devices and external systems.
While adbd is designed to operate within strict controls, this vulnerability allows attackers to bypass those safeguards and gain remote shell access.
Exploitation and impact
This results in remote code execution without requiring authentication, user interaction, or additional privileges.
Although shell access does not equate to full root-level control, it still enables attackers to bypass application sandboxing, interact with system processes, and potentially establish persistence or pivot to higher levels of access.
The flaw is classified as proximal, meaning the attacker must be on the same network or within physical range of the target device to successfully exploit it. This requirement limits large-scale internet exploitation but increases risk in environments where network proximity is common, such as corporate offices, co-working spaces, and public Wi-Fi networks.
At the time of publication, there are no confirmed reports of active exploitation in the wild.
Must-read security coverage
How to reduce mobile RCE risk
Given the severity and zero-click nature of this vulnerability, organizations should prioritize timely patching and use layered controls, as exploitation requires no user interaction and can occur from nearby network access.
- Apply the latest patch and validate in a controlled environment before production deployment.
- Enforce device compliance using MDM to restrict unpatched, non-compliant, or high-risk devices from accessing corporate resources.
- Disable USB debugging and restrict ADB or developer options to reduce exposure of the vulnerable adbd component.
- Segment networks and limit device-to-device communication to reduce the risk of lateral movement from proximal attacks.
- Monitor for suspicious activity, including unusual network traffic and unauthorized command execution on mobile endpoints.
- Implement zero-trust and conditional-access policies to ensure that only compliant devices can access sensitive systems.
- Test incident response plans and use attack-simulation tools with scenarios focused on mobile device exploitation.
Collectively, these measures help strengthen mobile security resilience and reduce exposure.
Why zero-click vulnerabilities matter
Zero-click vulnerabilities remain a concern in mobile security because they eliminate the need for user interaction, enabling attacks with little to no visible indicators.
As Android and other mobile platforms adopt modular update frameworks like Project Mainline, core system components such as adbd have become more prominent targets due to their deep integration with device functionality. This reflects a broader shift toward exploiting trusted, low-level services rather than relying solely on user-driven attack methods like phishing.
Editor’s note: This article originally appeared on our sister publication, eSecurityPlanet.
Read the full article here
