Android Framework and Settings Authentication Prompt Logic Error Vulnerability Allowing Local Privilege Escalation

A vulnerability exists in the Android Framework and Settings applications due to a logic error that can mislead users into approving authentication prompts for one app, with the results being used in another. This flaw allows for local privilege escalation without requiring additional execution privileges. The issue can be exploited without user interaction.

Impact

Exploitation of this vulnerability could lead to unauthorized privileges being granted to a user, allowing them to perform actions or access resources that are normally restricted.

Reproduction

The vulnerability can be reproduced by using the 'createConfirmDeviceCredentialIntent()' API in an application. When this API is called, the 'ConfirmDeviceCredentialActivity' becomes the top activity. If the app then switches to the Settings application, the biometric prompt initiated by the first app is not cancelled. This creates a window where the user might unintentionally approve an authentication prompt for one app while in the context of another.

Remediation

Users can update to the latest version of Android where possible. Devices with Android 10 and later may receive these updates through the Google Play system update. Instructions for checking and updating Android versions are available on the Google Play support page.