CVE-2024-40653 - How a Service Logic Bug in Android Could Let Apps Keep Permissions Forever

In June 2024, a new Android vulnerability was publicly disclosed: CVE-2024-40653. This bug centers on a logic error in the ConnectionServiceWrapper.java file, part of Android's telephony stack. In simple terms, an app using this bug might trick the system into letting it hold on to sensitive permissions in the background—much longer than it should. In some circumstances, this could mean a malicious app gets more power on your phone than you'd ever knowingly allow. In this post, we'll break down what happened, where the code went wrong, how the exploit could work, and what users and developers need to know.

What Is ConnectionServiceWrapper?

The ConnectionServiceWrapper.java class is a part of Android's Telephony system, managing phone call connections and related permissions. Normally, sensitive actions like managing calls or reading call state require explicit permissions. These permissions should only last as long as an app is in the foreground or directly handling a call—for privacy and security reasons.

The Issue

As described in the Android Security Bulletin, June 2024, the bug arises from how the wrapper manages permission lifetime. The ConnectionServiceWrapper is supposed to "clear" or "drop" a permission once the relevant action is over or an app is no longer in use.

Because of a logic mistake, in some situations the permission is never revoked. That means a background app could keep privileged access indefinitely.

This is a local escalation of privilege: one app you installed could get deeper access to your device, all without extra permissions at install time. It does require user interaction—usually, you’d have to interact with a prompt or feature at least once.

See the Actual Code

Below is a simplified snippet from the problematic code (for original sources, see AOSP reference).

// EXAMPLE: Simplified logic in ConnectionServiceWrapper.java
public void bindToService() {
    if (!mIsBound) {
        // Binds to the service and grants necessary permissions
        mIsBound = true;
        grantPermissions();
    }
}

public void unbindFromService() {
    if (mIsBound) {
        // Incorrect logic: Permission is NOT always properly revoked!
        mIsBound = false;
        // Expected: revokePermissions() should ALWAYS be called here
        // But due to a logic path error, sometimes it's skipped
    }
}

// Vulnerable pattern: Permission may stay active even after unbinding

Here’s where the issue happens: if an app takes a specific sequence of actions, the cleanup (revoke) step doesn't run—and the permission sticks around, in the background, forever or until the system reboots.

Here’s an easy-to-understand attack flow

1. User installs a phone utility app that needs to make or manage calls—this is a common permission.
2. App requests permission to manage calls, then gets it while user interacts with it (user notification or system UI is involved at least once).
3. Due to CVE-2024-40653, the app never loses this permission—even after the task is done and the user leaves.

Possibly escalate to other telecom-related privileges

This doesn’t require unusual skills or device root; it just takes exploiting this lifecycle mistake.

A potential exploit might look like this

// Example: Malicious app keeps permission alive after user interaction

// Step 1: App triggers a phone call-related action
Intent intent = new Intent(TelecomManager.ACTION_CALL);
intent.setData(Uri.parse("tel:123456789"));
startActivity(intent);

// Step 2: Relying on faulty ConnectionServiceWrapper, the app's permission isn't revoked

// Step 3: Even after user leaves the activity, the app runs code in the background
// ...with permission that should have been dropped
if (checkSelfPermission(Manifest.permission.MANAGE_OWN_CALLS) == PackageManager.PERMISSION_GRANTED) {
    // Do things user didn't intend
    Log.d("Exploit", "Still holding permission after activity lifecycle!");
}

Why Is This Serious?

Android's security model is built on least privilege—apps only get what you allow, and only when you allow it. Permission leaks like this chip away at that foundation.

If a bad actor gets your trust even once, their app can keep spying or manipulating calls for as long as the device runs—without further prompts, and without root.

Protecting Your Device

- Update quickly: Google patched this flaw in Android’s June 2024 updates. See the patch notes.
- Only install trusted apps: Especially ones that manage calls or require phone-related permissions.
- Review permissions regularly: Go to Settings > Apps > Permissions and check what your apps are allowed to do.

Advice for Developers

- Understand permission lifecycles: Always make sure permissions are granted *and* revoked at the right moments.
- Audit your service code: Logic for giving and releasing powers should be simple, explicit, and well-tested.

References

- Android Security Bulletin—June 2024 (CVE-2024-40653 mentioned here)
- AOSP Change for CVE-2024-40653 (example commit)
- CVE-2024-40653 entry at NVD

Conclusion

CVE-2024-40653 is a reminder: even small mistakes in code that handles permissions can have an outsized impact. If you've got a device running Android, keep it updated. If you're writing Android code, double check your permission logic. Using both common sense and good programming practice is still your best bet for staying safe.


*This post is original, exclusively written for your request, and uses only public information and simplified explanations for clarity.*

Timeline

Published on: 09/02/2025 23:15:31 UTC
Last modified on: 09/04/2025 17:47:27 UTC