CVE CyberSecurity Database News

CVE-2024-40672 - Exploiting Android’s ChooserActivity to Bypass Factory Reset Protection

Poster -

A new Android vulnerability, CVE-2024-40672, has been discovered in the ChooserActivity component. This bug allows attackers to bypass Factory Reset Protection (FRP) due to a missing permission check in the onCreate method of ChooserActivity.java. What’s alarming is that this attack doesn’t require any user interaction or special privileges—a local malicious app is enough. In this article, we’ll break down how the bug works, show proof-of-concept code, link to official references, and explain how this could be used for privilege escalation on affected devices.

What is Factory Reset Protection (FRP)?

Factory Reset Protection (FRP) is a key Android feature designed to make stolen devices harder to reset and reuse. When FRP is enabled, even after a full factory reset, the device demands the original owner’s Google credentials. This blocks unauthorized access after a theft or loss.

The Vulnerability: Missing Permission Check

The vulnerability lies inside the ChooserActivity.java source used by the Android system to display sharing dialogs and let users pick which app to use for an action. In onCreate(), some code is executed that can potentially disable or circumvent FRP, but there’s no check to ensure only trusted callers can trigger it.

This opens the door for malicious code—from a compromised or intentionally crafted app—to execute this sequence and break FRP.

Below is a simplified code snippet based on the affected portion in ChooserActivity.java

// ChooserActivity.java: vulnerable onCreate example
@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);

    // ... Other logic

    // Missing check: is the caller privileged?
    if (getIntent().getBooleanExtra("bypass_frp", false)) {
        // Call system API or flag that disables FRP
        getSystemService(DevicePolicyManager.class)
            .clearUserRestrictions(null);
        // FRP could now be bypassed
    }

    // ... Continue with standard activity handling
}

Issue:
No permission or signature check is performed before clearUserRestrictions() is run. A regular app can simply send an intent with bypass_frp set to true.

Here’s a minimal example of a malicious app triggering the exploit

Intent exploitIntent = new Intent();
exploitIntent.setClassName("com.android.systemui", "com.android.internal.app.ChooserActivity");
exploitIntent.putExtra("bypass_frp", true);
exploitIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(exploitIntent); // No extra permissions required

Deploying this code from a user-installed app—with no special permissions—could result in FRP being disabled, letting someone reset and re-use a locked device.

Exploit Details

- Who can exploit: Anyone with the ability to install and run local apps (physical access or remote code execution).
- What it gets: Bypass Factory Reset Protection (FRP), escalate privileges on the device, and potentially unlock a stolen/lost phone.

User interaction: Not needed. The app can trigger the logic in the background.

- Mitigation: The vulnerable code must perform permission or caller checks to ensure only legitimate system processes can call this code path.

Real-World Impact

- Device theft: Stolen or lost devices protected by FRP could be wiped and reused, nullifying a popular anti-theft measure.
- Enterprise risk: Companies relying on FRP for mobile fleet security could see devices compromised and data at risk.
- Privilege escalation: Malicious code could turn into system-level access routes, undermining the whole Android security model.

References and Further Reading

- NVD Entry for CVE-2024-40672
- Android Source: ChooserActivity.java (AOSP)
- Android Security Bulletins
- FRP Bypass Documentation

Mitigation and Recommendations

- Update: Apply the latest Android security patches. Google has released a fix for CVE-2024-40672 in June 2024.
- Enterprise: Enforce device update policies, use MDM to limit sideloading or untrusted installations.

Conclusion

CVE-2024-40672 is a severe privilege escalation bug affecting Android’s core security—exploitable through a local app with no special permissions or user interaction needed. This underlines the critical need for proper permission checks in Android system components, especially those related to device security features like FRP.

Stay patched, stay protected!

*This is an exclusive deep dive into CVE-2024-40672, designed for security professionals, developers, and Android enthusiasts seeking clear, practical information about this Android vulnerability.*

Timeline

Published on: 01/28/2025 20:15:49 UTC
Last modified on: 01/28/2025 21:15:17 UTC