CVE-2024-40677 - Exploiting Factory Reset Bypass in AdvancedPowerUsageDetail.java (Android Local Privilege Escalation)

---

Summary

A new Android vulnerability, CVE-2024-40677, has been disclosed in the AdvancedPowerUsageDetail.java class. This flaw allows local attackers to bypass factory reset protections on affected devices, escalating their privileges with no need for user interaction. The root cause lies in the shouldSkipForInitialSUW method, where a missing permission check lets an unauthorized local user take powerful actions.

In simple terms: an attacker with basic access to an Android device can exploit this weakness to sidestep important security protections—no superuser rights required, no user clicks needed.

Technical Details

The issue is inside the shouldSkipForInitialSUW method. Normally, certain actions (like resetting a device to factory state) require strict permission checks to avoid abuse. But in this case, the method does not properly check permissions. This means any local app or script can trigger it.

Here’s what a problematic part of AdvancedPowerUsageDetail.java could look like

public boolean shouldSkipForInitialSUW(Context context) {
    // ...some logic
    if (Build.IS_FACTORY_RESET_PROTECTION_ENABLED) {
        // Bypass without permission check
        return true;
    }
    // ...more logic
    return false;
}

What's wrong?

There is no verification like

if (context.checkSelfPermission(android.Manifest.permission.MASTER_CLEAR) != PackageManager.PERMISSION_GRANTED) {
    throw new SecurityException("No permission!");
}

Without this, any app—even one with minimal or zero permissions—can call this functionality.

Malicious Local App: An attacker installs or uses a minimal-permission app on the target device.

2. Abuse Method: App directly invokes shouldSkipForInitialSUW (or uses reflection, intents, etc. to trigger its effects).

Bypass Triggered: The device skips normal factory reset protection mechanisms.

4. Device Compromised: Attacker can perform data wipes or similar, bypassing security that's supposed to require higher permissions.

Below is a simplified proof-of-concept in Java that shows how an app could abuse this function

// WARNING: For educational purposes only!
try {
    Class<?> cls = Class.forName("com.android.settings.fuelgauge.AdvancedPowerUsageDetail");
    Method m = cls.getDeclaredMethod("shouldSkipForInitialSUW", Context.class);
    m.setAccessible(true);
    boolean bypassed = (Boolean) m.invoke(null, context);  // context is your current app context
    if (bypassed) {
        // Now you can bypass factory reset protections
    }
} catch (Exception ex) {
    // Handle errors
}

No special permissions are needed for invoking the method due to the missing check.

Mitigation & Patch

- Status: Google (and OEMs) have been notified. Patches are being released in monthly security updates for Android.
- What To Do: Update your device as soon as possible. If you develop ROMs or software, make sure to add the required permission checks to your copies of the source code.

Sample Patch

public boolean shouldSkipForInitialSUW(Context context) {
    if (context.checkSelfPermission(android.Manifest.permission.MASTER_CLEAR)
        != PackageManager.PERMISSION_GRANTED) {
        throw new SecurityException("No permission!");
    }
    // ...existing logic
}

References

- Android Security Bulletins
- NVD CVE-2024-40677 Entry
- Original Source (AOSP) - AdvancedPowerUsageDetail.java

Conclusion

CVE-2024-40677 is a classic example of how missing a simple permission check can lead to a serious privilege escalation bug on Android. If you have an affected device, update as soon as you can. If you build custom Android OS images, patch your code base to plug this hole fast.

Timeline

Published on: 01/28/2025 20:15:49 UTC
Last modified on: 01/28/2025 21:15:17 UTC