CVE CyberSecurity Database News

CVE-2024-31320 - How a Silent Companion Device Association Bug Can Escalate Privileges on Android

Poster -

In early 2024, a new Android security vulnerability was discovered and tracked as CVE-2024-31320. It resides in the setSkipPrompt method of AssociationRequest.java. This flaw can let an attacker establish a trusted connection between a companion device and your Android phone — without you ever knowing or being asked for consent.

This in-depth post will walk you through the bug, why it matters, show real code snippets, and detail how it can be exploited for a local privilege escalation—no extra user permissions or interactions needed.

What is Companion Device Association?

A *companion device* could be a smartwatch, fitness tracker, or even a car infotainment unit. Android devices use the Companion Device Manager (CDM) to manage associations with these devices in a way that’s supposed to require user confirmation for each pairing, to prevent silent or malicious connections.

The Vulnerability: setSkipPrompt() in AssociationRequest.java

The bug sits in how the Companion Device Manager (CDM) deals with the function setSkipPrompt within AssociationRequest.java. Normally, CDM pops up a confirmation prompt when any app tries to associate a new device. This is to make sure only the user can approve trusted device connections.

The vulnerable method looks roughly like this (simplified)

// Example: AssociationRequest.java

public class AssociationRequest {
    private boolean mSkipPrompt;

    public AssociationRequest setSkipPrompt(boolean skip) {
        mSkipPrompt = skip;
        return this;
    }
}

In a legitimate scenario, setSkipPrompt should only ever be used by privileged system apps, never by third-party apps. However, the CDM didn’t sufficiently check the caller’s privileges, so any local app—even without special permissions—could call setSkipPrompt(true). This bypasses the required user confirmation!

Why Is This Possible?

The Companion Device Manager accepts requests via IPC (inter-process communication). But, due to a lack of caller verification in its handling of setSkipPrompt, an unprivileged app can just slip this in and be accepted like a system component.

Exploit Details: How an Attacker Can Abuse CVE-2024-31320

Threat Model: A rogue app already installed on your phone (no user interaction required after install!).

App Builds an Association Request:

The malicious app creates an AssociationRequest and sets .setSkipPrompt(true), disabling the user prompt.

CDM Accepts the Association Silently:

Due to the bug, the request succeeds and the user never sees a prompt. The device is now paired as "trusted."

App Receives Special Access:

With the device associated, the app can leverage extra features or permissions (for example: background communication, Bluetooth access, notification listening, etc.) that are otherwise guarded by the association process.

Here’s a conceptual exploit flow in Java

// Malicious app code

AssociationRequest request = new AssociationRequest.Builder()
    .addDeviceFilter(/* attacker's device filter */)
    .setSkipPrompt(true)  // The problematic line
    .build();

CompanionDeviceManager cdm = (CompanionDeviceManager) context.getSystemService(Context.COMPANION_DEVICE_SERVICE);

cdm.associate(request, new CompanionDeviceManager.Callback() {
   @Override
   public void onDeviceFound(IntentSender chooserLauncher) {
       // Normally you'd launch user prompt here, but with skipPrompt=true it just goes through
   }

   @Override
   public void onFailure(CharSequence error) {
       // Handle failure
   }
}, null);

Result: The attacker's payload or device is transparently associated, giving it backdoor powers.

No App Permissions Needed: The exploit doesn’t require any special runtime permissions.

- No User Interaction: The user never sees a confirmation dialog; everything happens in the background.
- Leads to Privilege Escalation: Getting associated as a companion device opens Android up to all sorts of attacks—background process persistence, reading notifications, silent communication over Bluetooth, and more.

CVSS Score: Medium-High (local escalation, no interaction required)

- Patched In: See device vendor updates; Google fixed this issue in June 2024 Android Security Patch.

References

- Android Open Source Project (AOSP) issue tracker for CVE-2024-31320
- Google Android Security Bulletin—June 2024
- CVE-2024-31320 at NVD

Update Your Device: Install the latest Android security updates (patch June 2024 or newer).

- Be Cautious With Apps: Don’t sideload apps from unknown sources—this vulnerability can be silently exploited by rogue apps.

Conclusion

CVE-2024-31320 is a vivid example of how a small lapse in permission checks inside a system component can trigger significant security issues. Here, just a single unchecked method (setSkipPrompt) opened the door for privilege escalation by stealth-companion device association—proof that deep system privileges must always be rigorously controlled.

Always keep your device updated and stay alert to new security disclosures!

*This post was written exclusively for you with a technical-yet-accessible perspective. Stay safe!*

Timeline

Published on: 07/09/2024 21:15:13 UTC
Last modified on: 07/12/2024 16:11:32 UTC