In early 2024, security researchers uncovered a critical Android vulnerability: CVE-2024-0035. This flaw lies in the onNullBinding method of the TileLifecycleManager.java file, which is part of the Android SystemUI module responsible for handling Quick Settings tiles.
Due to a missing null check in the code, malicious local apps can abuse this vulnerability to launch arbitrary activities—even from the background. This opens the door for privilege escalation without the need for extra permissions or any user interaction.
In this article, we'll walk you through how this vulnerability works, provide an annotated code snippet, and explain how it can be exploited in practice. We’ll also give you links to the original references and resources for deeper learning.
Understanding the Vulnerability
The main issue is a missing null check inside the onNullBinding method. When onNullBinding is called, it sometimes handles an intent that might be null. If this case isn't properly caught, the code can be tricked into launching an activity from the background—a behavior Android should normally block for security reasons.
The problem code is inside the Android source file
// File: TileLifecycleManager.java
void onNullBinding(Intent intent) {
// ... some code ...
// The dangerous line is here: 'intent' might be null,
// but the activity is launched anyway.
context.startActivity(intent); // <-- No null check!
// ... some code ...
}
In a secure design, there should be a null check before trying to use the intent, like
if (intent != null) {
context.startActivity(intent);
}
No user interaction required: This attack can happen silently in the background.
- Escalation of privilege: Malicious code can launch protected activities or activities with elevated privileges.
Attack Steps
1. A malicious app interacts with the Android system's Quick Settings tile system in a way that triggers onNullBinding() while supplying a crafted intent (possibly null or malicious).
2. Because there’s no null check, the app can force the system to call startActivity() from the background—even when normally not allowed.
3. This can be utilized to launch system activities or escalate privileges, bypassing Android’s background activity launch restrictions.
Example Exploit Code
Suppose an attacker creates a Quick Settings tile and removes its binding, causing the system to trigger onNullBinding. They might craft an exploit like:
// Malicious tile service triggers onNullBinding in the system.
public class EvilTileService extends TileService {
@Override
public void onTileRemoved() {
// The system may respond by calling its own onNullBinding(intent)
// with a crafted or absent intent, leading to privilege escalation
// through the exploit described.
}
}
By manipulating the tile state and triggering system callbacks, the attacker's code causes the vulnerable method to execute, leading to unauthorized activity launches.
## How to Patch / Mitigate
The fix is straightforward: always check if the intent is null before trying to launch an activity. This prevents a malicious or accidental null from being used.
Patched code
void onNullBinding(Intent intent) {
if (intent != null) {
context.startActivity(intent);
}
}
Mitigation for Users:
References and Further Reading
- Android Security Bulletin - CVE-2024-0035
- Google Issue Tracker Entry for CVE-2024-0035
- TileLifecycleManager.java (AOSP source)
- Explanation from BleepingComputer
Summary
CVE-2024-0035 is a great example of how a missing null check in a seemingly harmless place can open up severe security risks—like local privilege escalation without user awareness. Make sure to keep your devices up to date, and remember: never underestimate the importance of thorough input validation!
Timeline
Published on: 02/16/2024 02:15:50 UTC
Last modified on: 08/28/2024 15:35:11 UTC