CVE-2025-3067 is a high-severity vulnerability affecting Google Chrome on Android versions prior to 135.0.7049.52. The flaw resides in the implementation of Custom Tabs, a feature that allows apps to open web content within the app context using Chrome’s rendering engine. Specifically, an inappropriate implementation in Custom Tabs permits a remote attacker to escalate privileges by convincing a user to perform certain UI gestures. This crafted interaction, initiated via a malicious app, can lead to unauthorized elevation of privileges on the affected device. The vulnerability is exploitable remotely without prior authentication but requires user interaction, namely specific UI gestures, to trigger the exploit. According to the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), the attack can be launched over a network with low attack complexity, no privileges or credentials are needed, but user interaction is required. The impact on confidentiality, integrity, and availability is high, indicating that successful exploitation could lead to full compromise of the device’s security posture. Although no known exploits are currently reported in the wild, the severity and ease of exploitation make this a critical risk for users running vulnerable Chrome versions on Android devices. The vulnerability was publicly disclosed on April 2, 2025, and Google has released version 135.0.7049.52 as a patch to remediate the issue.

For European organizations, this vulnerability poses a significant threat, especially those with employees using Android devices for corporate communications and accessing sensitive information via Chrome Custom Tabs embedded in enterprise apps. Exploitation could allow attackers to escalate privileges on employee devices, potentially leading to unauthorized access to corporate data, interception of communications, or deployment of further malware within the corporate network. The high confidentiality, integrity, and availability impact means that sensitive personal and business data could be exposed or manipulated. Given the widespread use of Android devices and Google Chrome in Europe, the risk extends to sectors such as finance, healthcare, government, and critical infrastructure, where data protection and operational continuity are paramount. The requirement for user interaction means social engineering or phishing campaigns could be used to trick users into performing the necessary UI gestures, increasing the likelihood of successful exploitation in targeted attacks.

European organizations should prioritize updating all Android devices running Google Chrome to version 135.0.7049.52 or later immediately. Mobile device management (MDM) solutions should be leveraged to enforce update policies and verify compliance. User awareness training should be enhanced to educate employees about the risks of interacting with untrusted apps and performing unexpected UI gestures. Organizations should audit and restrict the installation of third-party apps, especially those not vetted through official app stores. Additionally, implementing application whitelisting and restricting permissions for apps that can invoke Custom Tabs can reduce the attack surface. Monitoring for unusual app behavior or privilege escalations on Android devices can help detect exploitation attempts. Finally, organizations should maintain an incident response plan tailored to mobile device compromises to quickly contain and remediate any breaches stemming from this vulnerability.