New Delhi: India’s cyber security agency CERT-In has warned Android users to immediately install the latest security updates after Google patched a serious vulnerability in Dolby’s audio technology. The flaw, linked to the Dolby Digital Plus (DD+) Unified Decoder, could allow hackers to take control of a phone without any user interaction. Google fixed the issue in its January 2026 Android security update after it was first reported in October last year.
The vulnerability has been characterised as a so-called zero-click exploit, which implies that the attackers do not require victims to tap a link, open up a file, or install an application. After the bug is activated, the attackers might execute their own code on a machine, exposing personal data, applications, and even company systems to attackers. CERT-In has now officially recommended users in India update their phones in order to remain secure.
What CERT-In said in its warning
In its advisory CIVN–2026-0016, CERT-In said the Dolby flaw can be used to execute “arbitrary code” on affected Android devices. This means hackers could remotely interfere with the phone’s memory, steal information, or disrupt its normal functioning. The agency urged both individual users and organisations to apply Google’s latest Android security patch without delay.
CERT-In also warned that such vulnerabilities are often targeted in large-scale cyberattacks once they become publicly known. Delaying updates increases the risk of devices being compromised.
How the Dolby bug works
The flaw exists in Dolby’s DD+ Unified Decoder versions 4.5 and 4.13. According to Dolby, the issue is caused by an “out-of-bounds write” error that occurs when a specially crafted audio bitstream is processed. This can allow attackers to break out of the normal security limits of the system and run their own code.
Dolby said the bug was most commonly seen causing media apps to crash or restart. However, it also confirmed that the same flaw could be exploited for remote code execution on some Google Pixel models and other Android phones.
Google Project Zero found the exploit
The vulnerability was first uncovered by Google’s Project Zero security research team in October 2025. The researchers classified it as a zero-click exploit because no action is needed from the victim for the attack to work. This makes it far more dangerous than typical malware that relies on phishing or fake downloads.
Google included the fix in its January 5 Android security bulletin. The company also said the severity rating for the flaw was provided by Dolby itself.
What users should do now
Android users are advised to check for software updates in their phone’s settings and install the latest version available. The patch is already rolling out to Google Pixel devices and other phones that receive regular security updates.
Keeping devices updated is the only reliable way to stay protected against this type of attack. CERT-In has stressed that ignoring security patches can leave phones exposed to silent and highly damaging cyber threats.