Google Project Zero Reveals Six-Month Exploit Chain Used Against Android Devices

Google Project Zero has published a detailed technical analysis of a sophisticated exploit chain consisting of five chained vulnerabilities that was used to remotely compromise fully-patched Android devices through a zero-click attack vector delivered via RCS messages.

The exploit chain begins with a vulnerability in the Android messaging stack's handling of RCS (Rich Communication Services) messages. A specially crafted RCS message triggers a memory corruption bug in the media processing library, which is then leveraged to achieve code execution within the messaging app's sandbox.

From there, the chain uses three additional privilege escalation vulnerabilities to break out of the app sandbox, escape SELinux confinement, and ultimately achieve kernel code execution. The final stage installs a persistent implant that survives device reboots.

Google attributes the exploit chain to a commercial surveillance vendor and notes that it was used against fewer than 20 targeted individuals, all of whom were journalists or political dissidents. All five vulnerabilities were patched in Android security updates between September and December 2025.

The 47-page technical report provides unprecedented detail about the inner workings of a real-world exploit chain, including complete disassembly of the implant code. Project Zero released the analysis to help the security community better understand and defend against such sophisticated attacks.