CVE CyberSecurity Database News

CVE-2024-31310 - Exploit Details and Analysis – Hiding Your Autofill App in Android Settings

Poster -

In April 2024, a security vulnerability was discovered in Android’s system component—the AutofillManagerService. Tracked as CVE-2024-31310, this issue can allow a maliciously crafted app to remain hidden from the list of enabled Autofill services in the phone’s settings. The bug stems from improper input validation in the newServiceInfoLocked method inside AutofillManagerServiceImpl.java. While this doesn’t directly allow full control over the device, it can enable local privilege escalation, making administrative and privacy controls less reliable. Let’s dive into the details.

What Is the Problem?

Autofill services are special Android apps that can automatically fill forms and logins across your device. By design, Android’s settings must always show users a complete list of enabled Autofill services, so they can manage or remove unwanted ones. But due to weak input validation in the newServiceInfoLocked method, it’s possible for an app to be enabled as an Autofill service yet be hidden from the user interface in settings.

Potential Impact: Local Elevation of Privilege

- User Interaction: Required (user must enable Autofill service, but once enabled the hiding trick is automatic)

How the Vulnerability Works

The bug is simple but effective. A malicious developer creates an Autofill service app that uses tricky service metadata or unusual intent filters—these inputs are not properly verified in newServiceInfoLocked. As a result, when Android’s settings app queries the list of enabled Autofill services, the malicious app’s service info is missing or malformed, so it is not displayed in the settings—even though it's active!

This makes it hard for users to tell they have a rogue Autofill service running, and they can’t easily remove or disable it from the normal interface.

Core Code Problem (Simplified)

Here’s a simplified illustration inspired by system logic (it is not the actual source, but it represents the faulty pattern):

// AutofillManagerServiceImpl.java

private ServiceInfo newServiceInfoLocked(ComponentName componentName) {
    // (Bad) Loads service info, but...
    ServiceInfo info = packageManager.getServiceInfo(componentName, );
    // (Bad) No check on required metadata!
    if (info == null) {
        // Should handle or reject, but sometimes it just returns null silently
        return null;
    }
    // (Bad) Malformed or missing meta-data? Not validated!
    return info;
}

If an app manipulates its manifest and metadata cleverly, getServiceInfo() may return a service with incomplete or malformed information. The settings UI then skips showing it—autofill is still enabled, just lost from your view.

Exploit Steps (Walkthrough)

1. Attacker crafts an Autofill service app with a manifest that purposefully omits or corrupts some required fields.

User enables this app as their Autofill service (could be tricked into doing so).

3. Android loads the faulty info via newServiceInfoLocked. Since checks are lax, the service is registered.
4. Settings UI tries to display enabled services but skips the attacker’s app because of the malformed info, effectively hiding it.

Persistence: The attacker’s app remains enabled with Autofill privileges.

- Evading audits: Users and some security tools relying on UI won’t easily spot or disable the app.
- Attack vector: Attacker can capture sensitive data via Autofill, invisible to non-technically advanced users.

No elevated system privileges required—just being set as Autofill.

User must install and enable the bad Autofill service, so social engineering is necessary. However, once enabled, the hiding is automatic.

A malicious app might use a service declaration like this

<service
    android:name=".MyEvilAutofillService"
    android:permission="android.permission.BIND_AUTOFILL_SERVICE"
    android:exported="true">
    <!-- Here's where key meta-data could be corrupted or missing -->
    <!-- Malformed or missing: android:label, android:settingsActivity, etc. -->
    <intent-filter>
        <action android:name="android.service.autofill.AutofillService" />
    </intent-filter>
</service>

It’s subtle—by abusing or omitting specific fields, the app’s service info class won’t load completely, making the settings app “forget” about it.

Detection

- Power users and administrators can run adb shell dumpsys autofill to see a raw list of enabled services, including hidden ones.

Only enable Autofill apps from trusted sources.

- Google/Android is patching this by strengthening input checks in the affected method—malformed or incomplete services will be rejected or forcibly shown.

Device administrators can use enterprise controls to whitelist allowed Autofill services.

Update your device—OEMs and Google have shipped patches since early 2024. Official Android Security Bulletin Link.

References

- Android Security Bulletin: May 2024
- NIST NVD Entry for CVE-2024-31310
- Android Autofill Service documentation

Conclusion

CVE-2024-31310 reveals how even minor bugs in Android system services can undermine key user controls. Local attackers can stay hidden by exploiting weak validation in AutofillManagerServiceImpl.java. Your best defense is careful app choices and timely security updates.

Keep your device patched and always double-check what Autofill services are enabled—if you can’t see one, it might be hiding in plain sight.

Timeline

Published on: 07/09/2024 21:15:12 UTC
Last modified on: 08/01/2024 13:50:49 UTC