CVE-2022-20446 - Exploiting Android’s AlwaysOnHotwordDetector for Background Microphone Access

In late 2022, a security flaw—CVE-2022-20446—was quietly patched in Android. This vulnerability lets apps access your device’s microphone from the background, bypassing typical permission checks. Let’s break down how this bug worked, how it could be exploited, and how it was finally fixed.

What is AlwaysOnHotwordDetector?

On Android, voice assistants like Google Assistant or Bixby need to listen for hotwords (“Hey Google”). The AlwaysOnHotwordDetector class in the Android codebase manages this. It’s supposed to securely control microphone access, only letting trusted, foreground services use it.

The bug happened because a permission check was missing here, letting rogue apps sneak in and listen through the microphone, even if the user hadn’t granted explicit permission.

Android Security Bulletin

- Android Vulnerability Details
- AOSP Reference (A-229793943)

Code Walkthrough: What Went Wrong

In AlwaysOnHotwordDetector.java, a method initiating a microphone session was supposed to check that the calling app *really* had the right permissions. But it didn’t.

Here’s a simplified look at the broken code

public void startRecognition() {
    // ... cold starts, setup ...
    // Missing: isCallerAllowedToRecordAudio()
    audioRecord.startRecording();
}

Android has a check like this (simplified)

if (context.checkCallingOrSelfPermission(RECORD_AUDIO) != PERMISSION_GRANTED) {
    throw new SecurityException("No permission to record audio");
}

But in AlwaysOnHotwordDetector, this check was skipped — even for background apps.

Create a simple Android app—no RECORD_AUDIO permission needed.

2. Interact with AlwaysOnHotwordDetector (via exposed APIs/intents).

Start accessing microphone audio, all without the user knowing.

The attacker could then listen in on conversations or capture audio at will, *even if the user denied microphone access*.

Here’s a (over-simplified) way an unprivileged app could abuse the bug

// Usually, RECORD_AUDIO permission is required
Intent intent = new Intent("com.android.voiceinteraction.START_HOTWORD");
intent.setComponent(new ComponentName(
    "com.android.system", 
    "com.android.voiceinteraction.HotwordService"
));

// The vulnerable service starts recording without checking permissions.
context.startService(intent); 

Why It’s Dangerous

- Zero permissions: No need to request RECORD_AUDIO, which means the user never sees the indicator or grant dialog.

How Was It Fixed?

After Google’s security team was alerted, a patch was released, starting with the November 2022 Android security updates. The fix was simply:

- Add the missing permission check before initializing microphone access in AlwaysOnHotwordDetector.java.

Reject any request from an app that hasn’t been explicitly granted RECORD_AUDIO.

From the AOSP Diff:

if (context.checkCallingOrSelfPermission(RECORD_AUDIO) != PERMISSION_GRANTED) {
    Log.e(TAG, "Attempted to start recognition without RECORD_AUDIO permission!");
    return;
}

Resources

- Official Android Bulletin
- AOSP Patch Commit
- NVD: CVE-2022-20446

Conclusion

CVE-2022-20446 is a classic example of how one missing permission check can have huge privacy consequences, letting any background app access the microphone without your knowledge. Always keep your Android devices up to date, and watch out for permissions even if you think Google and phone makers have you covered.

Timeline

Published on: 11/08/2022 22:15:00 UTC
Last modified on: 11/09/2022 15:52:00 UTC