Category: Uncategorized

Ravie LakshmananMar 20, 2026Data Privacy / Mobile Security

Google on Thursday announced a new “advanced flow” for Android sideloading that requires a mandatory 24-hour wait period to install apps from unverified developers in an attempt to balance openness with safety.

The new changes come against the backdrop of a developer verification mandate the tech giant announced last year that requires all Android apps to be registered by verified developers to be installed on certified Android devices. The move, it added, was done to flag bad actors faster and prevent them from distributing malware.

This also includes potential scenarios where cybercriminals trick unsuspecting users who sideload such apps into granting them elevated privileges that make it possible to turn off Play Protect, the anti-malware feature built into all Google-certified Android devices.

However, the mandatory registration requirements have been met with criticism from over 50 app developers and marketplaces, including F-Droid, Brave, The Electronic Frontier Foundation, Proton, The Tor Project, Vivaldi, who say they risk creating friction and barriers to entry, and raise privacy and surveillance concerns in the absence of clarity about what personal information developers must provide, how this data will be stored, secured, and used, and if it could be subject to government requests or legal processes.

As a way of quelling some of these thorny issues, Google has emphasized that the newly developed advanced flow allows power users to maintain the ability to sideload apps from unverified developers with a one-time process that requires them to follow the steps below –

• Enable developer mode in system settings.
• Confirm that they are taking this step of their own volition and are not being coached.
• Restart the phone and re-authenticate so as to prevent a scammer from monitoring what actions a user is taking.
• Wait for a 24-hour period and confirm that they are really making this change with biometric authentication or device PIN.
• Install apps from unverified developers once users understand the risks, either indefinitely or for a period of seven days.

“In that 24-hour period, we think it becomes much harder for attackers to persist their attack,” Android Ecosystem President, Sameer Samat, was quoted as saying to Ars Technica. “In that time, you can probably find out that your loved one isn’t really being held in jail or that your bank account isn’t really under attack.”

Google also said it plans to offer free “limited distribution accounts” that let hobbyist developers and students share apps with up to 20 devices without having to “provide a government-issued ID or pay a registration fee.”

It’s worth noting that the aforementioned process does not apply to installs via the Android Debug Bridge (ADB). Limited distribution accounts for students and hobbyists, as well as advanced flow for users, will be available in August 2026, before the new developer verification requirements take effect the month after.

“We know a ‘one size fits all’ approach doesn’t work for our diverse ecosystem,” Google said. “We want to ensure that identity verification isn’t a barrier to entry, so we’re providing different paths to fit your specific needs.”

The development coincides with the emergence of a new Android malware called Perseus that’s actively targeting users in Turkey and Italy with an aim to conduct device takeover (DTO) and financial fraud.

Over the four months, at least 17 Android malware families have been detected in the wild. They include FvncBot, SeedSnatcher, ClayRat, Wonderland, Cellik, Frogblight, NexusRoute, ZeroDayRAT, Arsink (and its improved variant SURXRAT), deVixor, Phantom, Massiv, PixRevolution, TaxiSpy RAT, BeatBanker, Mirax, and Oblivion RAT.

A critical security flaw impacting Langflow has come under active exploitation within 20 hours of public disclosure, highlighting the speed at which threat actors weaponize newly published vulnerabilities.

The security defect, tracked as CVE-2026-33017 (CVSS score: 9.3), is a case of missing authentication combined with code injection that could result in remote code execution.

“The POST /api/v1/build_public_tmp/{flow_id}/flow endpoint allows building public flows without requiring authentication,” according to Langflow’s advisory for the flaw.

“When the optional data parameter is supplied, the endpoint uses attacker-controlled flow data (containing arbitrary Python code in node definitions) instead of the stored flow data from the database. This code is passed to exec() with zero sandboxing, resulting in unauthenticated remote code execution.”

The vulnerability affects all versions of the open-source artificial intelligence (AI) platform prior to and including 1.8.1. It has been currently addressed in the development version 1.9.0.dev8.

Security researcher Aviral Srivastava, who discovered and reported the flaw on February 26, 2026, said it’s distinct from CVE-2025-3248 (CVSS score: 9.8), another critical bug in Langflow that abused the /api/v1/validate/code endpoint to execute arbitrary Python code without requiring any authentication. It has since come under active exploitation, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

“CVE-2026-33017 is in /api/v1/build_public_tmp/{flow_id}/flow,” Srivastava explained, adding that the root cause stems from the use of the same exec() call as CVE-2025-3248 at the end of the chain.

“This endpoint is designed to be unauthenticated because it serves public flows. You can’t just add an auth requirement without breaking the entire public flows feature. The real fix is removing the data parameter from the public endpoint entirely, so public flows can only execute their stored (server-side) flow data and never accept attacker-supplied definitions.”

Successful exploitation could allow an attacker to send a single HTTP request and obtain arbitrary code execution with the full privileges of the server process. With this privilege in place, the threat actor can read environment variables, access or modify files to inject backdoors or erase sensitive data, and even obtain a reverse shell.

Srivastava told The Hacker News that exploiting CVE-2026-33017 is “extremely easy” and can be triggered by means of a weaponized curl command. One HTTP POST request with malicious Python code in the JSON payload is enough to achieve immediate remote code execution, he added.

Cloud security firm Sysdig said it observed the first exploitation attempts targeting CVE-2026–33017 in the wild within 20 hours of the advisory’s publication on March 17, 2026.

“No public proof-of-concept (PoC) code existed at the time,” Sysdig said. “Attackers built working exploits directly from the advisory description and began scanning the internet for vulnerable instances. Exfiltrated information included keys and credentials, which provided access to connected databases and potential software supply chain compromise.”

Threat actors have also been observed moving from automated scanning to leveraging custom Python scripts in order to extract data from “/etc/passwd” and deliver an unspecified next-stage payload hosted on “173.212.205[.]251:8443.” Subsequent activity from the same IP address points in a thorough credential harvesting operation that involves gathering environment variables, enumerating configuration files and databases, and extracting the contents of .env files.

This suggests planning on part of the threat actor by staging the malware to be delivered once a vulnerable target is identified. “This is an attacker with a prepared exploitation toolkit moving from vulnerability validation to payload deployment in a single session,” Sysdig noted. It’s currently not known who is behind the attacks.

The 20-hour window between advisory publication and first exploitation aligns with an accelerating trend that has seen the median time-to-exploit (TTE) shrinking from 771 days in 2018 to just hours in 2024.

According to Rapid7’s 2026 Global Threat Landscape Report, the median time from publication of a vulnerability to its inclusion in CISA’s Known Exploited Vulnerabilities (KEV) catalog dropped from 8.5 days to five days over the past year.

“This timeline compression poses serious challenges for defenders. The median time for organizations to deploy patches is approximately 20 days, meaning defenders are exposed and vulnerable for far too long,” it added. “Threat actors are monitoring the same advisory feeds that defenders use, and they are building exploits faster than most organizations can assess, test, and deploy patches. Organizations must completely reconsider their vulnerability programs to meet reality.”

Users are advised to update to the latest patched version as soon as possible, audit environment variables and secrets on any publicly exposed Langflow instance, rotate keys and database passwords as a precautionary measure, monitor for outbound connections to unusual callback services, and restrict network access to Langflow instances using firewall rules or a reverse proxy with authentication.

The exploration activity targeting CVE-2025–3248 and CVE-2026-33017 underscores how AI workloads are landing in attackers’ crosshairs owing to their access to valuable data, integration within the software supply chain, and insufficient security safeguards.

“CVE-2026-33017 […] demonstrates a pattern that is becoming the norm rather than the exception: critical vulnerabilities in popular open-source tools are weaponized within hours of disclosure, often before public PoC code is even available,” Sysdig concluded.