Android Permission Controller Elevation of Privilege Vulnerability

A permission squatting vulnerability allowing local elevation of privilege has been identified in the Android Permission Controller. This issue arises from a logic error in the RoleService.java file, where the 'android.permission.MANAGE_DEFAULT_APPLICATIONS' permission was not properly defined, creating a loophole that could be exploited without any additional execution privileges. The vulnerability affects multiple versions of Android and does not require user interaction for exploitation.

Impact

Exploitation of this vulnerability could lead to unauthorized access to elevated privileges, allowing a user to perform actions or access resources that are normally restricted.

Remediation

Users can update their devices to the May 2025 security patch level to address this vulnerability. Instructions for checking and updating the Android version are available on the Google Support website.