In January 2024, a significant vulnerability—CVE-2024-0036—was discovered in the Android Open Source Project (AOSP). The bug is rooted in the startNextMatchingActivity method of ActivityTaskManagerService.java. This logic flaw enables any local app to bypass Android’s intended background activity launch restrictions, resulting in an escalation of privilege _without requiring user interaction_ or extra permissions. In this post, we’ll walk through the vulnerability, show code samples, explain the exploitation process, and share official references.
🔎 Background: Activity Launch Restrictions
To make Android devices more secure and user-friendly, Google restricts background apps from starting UI activities unexpectedly. Without these controls, background apps could interrupt users, spoof screens, or carry out phishing attacks.
Normally, only apps running in the foreground or with special privileges can start new activities. This system is managed in ActivityTaskManagerService.java—a core piece of Android’s activity lifecycle infrastructure.
⚠️ Where Did It Go Wrong? The Buggy Code
The method startNextMatchingActivity() is intended to safely move to the next activity in the app’s task stack, only if allowed by the system’s policies.
But due to a logic error, the method wrongly assumes certain conditions are safe, and _fails to correctly check / block_ background activity starts.
The problem occurs in code similar to the following (simplified for clarity)
// ActivityTaskManagerService.java
public boolean startNextMatchingActivity(IBinder callingActivityToken, Intent intent, Bundle options) {
// ... some setup
// FLAW: Resumes activities without checking if app is in background.
boolean started = mStackSupervisor.startActivity(intent, ...);
return started;
}
What’s missing?
There’s no verification that the calling application is actually allowed to start an activity in the current state (e.g., not backgrounded).
A safe implementation should check if the caller is in the foreground, and enforce Android’s "background activity launch restrictions".
💥 The Exploit: Local Privilege Escalation, No User Interaction
Because of this logic flaw, a background app can call startNextMatchingActivity() through exposed AOSP APIs or via an internal intent.
The app then calls startNextMatchingActivity(), directly or using an exported component.
3. Due to the missing restrictions, Android happily starts the new activity, putting it atop whatever is shown to the user.
Result:
The background app can unexpectedly launch full-screen activities (for overlay, phishing, or any malicious reason) _at any time_, even though it shouldn’t have this ability under normal rules.
Simple Exploit Example (Pseudo code)
// Attacker's code (run in background)
Intent intent = new Intent(context, MaliciousActivity.class);
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(intent);
// Since the system's restriction isn't enforced here, this works!
No system dialogs, no permission prompts—no user interaction needed.
🔒 Severity and Real-World Impact
This bug allows _any_ application on an affected device (such as Android 14 prior to the patch) to break established security boundaries.
Draining device resources or overriding Do Not Disturb
Because it’s a local escalation and doesn’t require extra permissions, it can be combined with other tactics to create highly convincing attacks.
⏩ Patch and Fix
Google addressed this with a proper foreground check in startNextMatchingActivity().
Example fix (pseudo)
// ... inside startNextMatchingActivity()
if (!isAppForeground(callingPackage)) {
// Log and deny
Slog.w(TAG, "Attempt to start activity from background app");
return false;
}
Upgrade your device!
Ensure you’re on the latest Android security patch. Most manufacturers have rolled out the fix or will soon.
Android Security Bulletin (CVE-2024-0036):
https://source.android.com/security/bulletin/2024-01-01
AOSP Commit Fix:
https://android.googlesource.com/platform/frameworks/base/+/PATCH_ID (find the linked or referenced patch for CVE-2024-0036)
CVE Details:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0036
📝 Summary
CVE-2024-0036 is a prime example of how a simple mechanic—an unchecked method call—can punch a hole in Android’s protections. Its exploitation is easy, requires no user interaction, and could be combined with social engineering for impactful attacks. If you’re an Android user or developer, keep your devices patched, and audit any privileged code handling activity launches.
Timeline
Published on: 02/16/2024 02:15:51 UTC
Last modified on: 08/21/2024 21:35:03 UTC