Super Funicular LLC

Android just patched a zero-day that was *already* being exploited before the fix shipped. Patch now — then ask the question nobody emails you about: if your phone does get popped, how big is the blast radius? Google's June 2026 Android Security Bulletin landed on June 1. It fixes CVE-2025-48595, an elevation-of-privilege flaw in the Android Framework that Google says is under "limited, targeted exploitation" — the language they use when a bug is being used quietly against specific people, not sprayed at everyone. It hits Android 14, 15, 16, and 16 QPR2. (The "2025" in the CVE ID is just the year it was reserved. The patch is brand new.) The scarier line item is CVE-2025-65018 — rated critical, a remote privilege escalation with NO user interaction. No link to click. No app to install. Just a remote path to control. Step 1 is not negotiable: patch. 🔧 Settings → Security & privacy → System & updates 🔧 Install anything offered 🔧 Confirm your security patch level reads 2026-06-01 or 2026-06-05 🔧 Keep Play Protect on, stop sideloading from sources you can't vouch for If your phone is too old to get June 2026 patches, that's its own signal. An unpatched OS is the real exposure, and no app changes that. Now the part the news coverage skips. Patching closes *this* hole. It does nothing about the next one — or the one being held privately right now. An OS-level zero-day is not something any third-party app fixes. So the posture that actually compounds over time isn't "patch faster." It's: minimize what a compromise can reach. A phone hit by an EoP chain can read what's on the device. But the bigger prize is usually what the device gives access to — the cloud accounts your apps stay logged into. A camera app that uploads everything to a vendor's servers has created a second copy of your footage that outlives your handset, fully indexed and searchable. That copy is exfiltratable from the device. It's also exposed by every breach on the vendor's side — see the recurring pattern where one leaked camera-cloud key exposes hundreds of brands at once. Local-only apps don't add to that pile. If recordings never leave the phone, there's no server archive to steal, no account to hijack, no vendor breach that reaches you. This is where I'll be precise about what my app does and doesn't do. Background Camera RemoteStream does NOT protect you from CVE-2025-48595. Nothing in user space patches a Framework zero-day. Update your OS — really. What it does is shrink the blast radius: • Recordings store locally on the device — no cloud, no account, no sign-up. There's no server-side copy to leak in someone else's breach. • No account means no credential sitting on the device for an attacker to ride into a cloud dashboard. • Live streaming, when you want it, runs through your own YouTube Live — your pipe, your account, not a third-party relay holding your video. This is the unglamorous version of "privacy-first." Not a promise you'll never be attacked — a design that keeps the damage small when something upstream fails. A privacy policy is a promise. Local-only storage is an architecture that makes the promise unnecessary. Your 4-step checklist for today: 1. Patch. Confirm security patch level 2026-06-01 / 2026-06-05. 2. Audit who phones home. Privacy Dashboard shows which apps touched your camera and mic; Network → Data usage shows who's uploading in the background while idle. 3. Prefer local-only, no-account apps for anything sensitive — cameras, recorders, notes. 4. Keep Play Protect on. Stop sideloading from sources you can't trust. Patching is necessary. Reducing what's at stake when patching isn't enough is the part you own. Full version with sources (Android bulletin + CyberInsider): https://t.co/Vn2pnBvB8x Try the app: https://t.co/Jd3ejCuMCT

Your "free" baby-monitor app can't lie to you about uploading your video. The upload has to physically happen, Android logs that it happened, and Android lets you read the log. Here's the 5-step ladder, low effort → high: 1. Data-usage view. Settings → Apps → app → App data usage. A local-only camera app should use ~0 background data. 200 MB/day on an idle phone isn't "update checks" — it's upload. 2. Privacy Dashboard. Settings → Privacy. Camera on for 3 sec at 4 a.m. when nobody touched it = the app keeping a pipe warm. 3. Private DNS log. Set https://t.co/xe336Sr85w for a day, read the per-app domains. Ad-tech (appsflyer, adjust, branch) or unknown cloud (aliyun, tencent) = the upload path. Those last two are the Meari-breach backend family — 1.1M baby monitors, one key. 4. Play Store Data Safety. The publisher's own declaration. If "shared with third parties" is populated but the listing says "no tracking," believe the declaration. 5. Packet capture (only if 1–4 disagree). Hotspot + Wireshark. Steady multi-MB TLS to one endpoint = frames leaving. The structural reason it always works: a camera running 24/7 has a real bandwidth bill. Either you pay it or the data does. The upload isn't optional, so it isn't hideable. Full walkthrough: https://t.co/EvMOieegew Or skip the audit with an app that has no server: https://t.co/GvQPibfkwv