CVE-2022-32601 - How a Parcel Format Mismatch Let Apps Bypass Permissions in Android Telephony

Android security is often about subtle bugs with huge consequences. In 2022, security researchers revealed a permission bypass in the Telephony module—CVE-2022-32601. This bug didn’t require fancy root exploits, user trickery, or even advanced malware. Instead, it relied on a mismatch in how Android’s Telephony system read parcels—a humble flaw with the potential to seriously escalate privileges.

In this exclusive post, we'll break down how CVE-2022-32601 worked, what code was involved, and why it mattered. If you’re a developer, security enthusiast, or just curious how permissions get bypassed on Android, read on. We’ll keep it in plain American English.

What’s a Parcel Format Mismatch?

Android processes communicate by sending “parcels”: bundles of data with a strict format defined in code (AIDL interfaces). When the sender and receiver agree on the format, everything works fine. But if there’s a difference—say, the sender sends one thing, the receiver expects another—you can sometimes trick the system. That’s what happened here.

Telephony and Permissions

Android’s Telephony service controls phone calls, SMS, SIM info, and much more. It’s supposed to only grant access to sensitive features, like changing radio state or managing subscriptions, to privileged system processes or apps with special permissions.

Component: TelephonyManager in the Android Framework (AOSP)

- Vulnerability: In handling IPC (Inter-Process Communication) parcels, the system used different assumptions about what data was coming in; this mismatch could cause the receiver to misinterpret the sender’s data types.
- Consequence: An app without the required permission could slip through and perform privileged telephony actions.

Let’s look at simplified code

// SYSTEM SIDE (receiver)
public void onTransact(int code, Parcel data, Parcel reply, int flags) throws RemoteException {
    switch (code) {
        case GET_PHONE_STATE:   // expects permission check here
            // Problem: expects an integer, but attacker sends in a crafted parcel
            int arg = data.readInt();
            if (hasPermission(PERM_READ_PHONE_STATE)) {
                // grant
                reply.writeNoException();
                reply.writeInt(getPhoneState());
            } else {
                // deny
                reply.writeException(new SecurityException());
            }
            break;
    }
}

An attacking app could send a parcel that tricks the receiver into reading incorrect data—skipping or bypassing internal permission checks.

// MALICIOUS APP (sender)
Parcel data = Parcel.obtain();
data.writeInt(123); // Some crafted data to later offset reads
// ... maybe write more data to confuse the format

// Now send the parcel via binder
IBinder telephonyBinder = ... // get via reflection or hidden API
telephonyBinder.transact(GET_PHONE_STATE, data, reply, );

Because of the format mismatch, the permission check is never triggered correctly—the code “skips” over it, or uses attacker-controlled values. The result: your app does privileged actions without actually holding the permission.

Who could exploit it? Any app installed on an affected device (no root needed).

- What could be done? Access telephony information, manipulate the radio state, or perform other actions normally gated behind permissions.

Issue ID: ALPS07319132

- Affected Android versions: Varies by OEM; commonly in AOSP and devices using the vulnerable TelephonyManager code.

Fixed in: Later security updates from Google and OEM vendors.

The fix was simple yet effective: ensure both sides follow the agreed parcel format, and validate every field before processing it. Permissions checks were hardened to run *before* any data parsing.

References

- Android Security Bulletins - June 2022
- NVD - CVE-2022-32601
- Alps security patch - ALPS07319132
- AOSP Source - TelephonyManager (for reference)

Update your device: If your device is still awaiting a 2022 security update, you may be at risk.

- Check your OEM: Some brands are slower to patch. Reference the patch ID ALPS07319132 in your vendor’s bulletins.

Why does this matter?

Because local permission bypasses are notorious: any app, even a game, could suddenly meddle with your phone’s most sensitive radio-level features—all without you lifting a finger. All thanks to a little misunderstanding over parcel formats!


Stay safe. Keep your devices updated. And if you write Android code, double-check those parcel formats!

Timeline

Published on: 11/08/2022 21:15:00 UTC
Last modified on: 11/09/2022 18:02:00 UTC