CVE CyberSecurity Database News

CVE-2023-35674 - How a Logic Bug in Android’s WindowState.java Can Let Apps Bypass Foreground Restrictions

Poster -

Android’s sandboxing and activity management is one of the pillars that keeps your phone secure — stopping malware from running in the background or behind your back without your knowledge. But sometimes a small mistake in the code can let an attacker break these rules, potentially opening the door to privilege escalation. That’s exactly what happened with CVE-2023-35674.

This post will explain, in simple language, what this vulnerability is, why it occurred, and how an attacker could exploit it. We’ll also include sample code and tips on how to stay safe.

What is CVE-2023-35674?

*CVE-2023-35674* is an Android vulnerability caused by a logic bug in the code of WindowState.java, a part of the Android OS responsible for managing app windows. It allows a malicious app to launch a background activity — bypassing restrictions that are supposed to prevent background apps from taking focus or starting new tasks.

Impact:  
- Local escalation of privilege (simply, a normal app running in the background can force itself to the front, or trigger actions it shouldn’t be able to).

No extra permissions required; the attacking app only needs to be installed.

- No user interaction needed — the attacker does not need to trick the user into clicking anything.

How Did This Happen? (The Mistake in Code)

In Android, apps are not supposed to start activities from the background unless they are interacting with the user. This is to stop spam, scams, and malware.

But in WindowState.java, there was an error in the onCreate method. The method failed to check whether an app launching an activity was actually in the foreground — it let background apps start activities, which they’re not supposed to do.

Here’s a simplified version of the problematic Java code (paraphrased for clarity)

public void onCreate() {
    // ... some code
    if (shouldStartActivity()) {
        // There should be a check here if the app is in foreground
        startActivity();
    }
    // ... some code
}

In reality, the logic skipped or mishandled the check that ensures only foreground apps can launch an activity, letting background apps slip through the cracks.

Exploit Example: How Could an Attacker Use This?

Let’s say there’s a messaging app running in the background. Normally, if an attacker tries to launch a phishing activity or overlay without the user doing anything, Android should block it.

But using CVE-2023-35674, a malicious background app can launch a new Activity (a window) — such as a fake login page, or bring itself to the foreground. Since this can happen silently, it opens the door to:

Sample PoC (Proof of Concept)

Here’s simplified proof-of-concept code. Do not use this for illegal activity. This is for educational purposes only.

Intent intent = new Intent(context, MaliciousActivity.class);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
// This should be blocked if app is in background, but bug lets it run
context.startActivity(intent);

Normally, if your app is running in the background, Android would refuse this unless you have SYSTEM_ALERT_WINDOW or you are in the foreground. *With this bug, it succeeds.*

Official References

- Android Security Bulletin June 2023 — lists this CVE and patches
- CVE Record at NIST
- Google Issue Tracker
- AOSP code review fix commit (You’ll need some Java knowledge to follow this.)

Remediation & Fix

Google patched this in Android security updates as of June 2023. If your phone has recent security patches, you are protected.

Update your device: Always install the latest Android security updates.

- Be wary of sideloaded apps: This exploit does not require special permissions, so don’t install unknown APKs or apps from untrusted sources.

Final Thoughts

CVE-2023-35674 is an example of how even a small oversight in access control can have major consequences. The Android security team and open source community responded quickly, but with more devices lagging behind on updates, these exploits can stick around for years.

*Always keep your phone updated,* and if you’re an Android developer, review your app’s use of Activity launch patterns and permissions.


Sources:  
- Android Security Bulletin June 2023  
- CVE at NIST  
- Google Issue Tracker  
- AOSP Patch

*Stay safe out there. Even the background matters!*

Timeline

Published on: 09/11/2023 21:15:00 UTC
Last modified on: 09/14/2023 01:28:00 UTC