CVE-2024-49732 - Escalating Privileges in Android via CompanionDeviceManagerService Missing Permission Check
---
Introduction
On June 3, 2024, a new Android security vulnerability was assigned: CVE-2024-49732. This issue affects the CompanionDeviceManagerService in Android. At its core, it opens a hole allowing rogue apps to grant themselves permissions without any user approval. This could give an attacker more control over the victim's device without needing any extra permissions—or even user interaction.
This article offers a comprehensive, easy-to-understand breakdown of this flaw, its causes, and how it can be exploited, along with code snippets illustrating the issue.
What is CompanionDeviceManagerService?
CompanionDeviceManagerService.java is a system service in Android that lets apps connect to external or *companion devices* (think smartwatches, fitness trackers, etc.). It manages the association between apps and physical devices, and usually, some permissions and user approvals are involved at different steps.
What Goes Wrong: Missing Permission Checks
The crux of CVE-2024-49732 is that some functions in CompanionDeviceManagerService.java forget to check whether the app calling them actually has the right to do so. This gap means a malicious app could call these functions directly, bypassing the normal request and approval flow, and grant itself permission it should not have.
notifyDeviceDisappeared()
Each of these functions should check if the caller has a permission like android.permission.MANAGE_COMPANION_DEVICES, but due to coding oversight, this check is skipped.
Example Vulnerable Code
// CompanionDeviceManagerService.java
public void associate(AssociationRequest request, Callback callback, String callingPackage) {
// MISSING: Permission check here!
// Should be:
// enforceCallingPermission(MANAGE_COMPANION_DEVICES, "No permission to associate");
// Now proceeds to make associations...
performAssociation(request, callingPackage);
callback.onAssociationCreated();
}
Here, the associate() method directly processes the association, skipping any check on whether the caller has the right permission.
What Could a Malicious App Do?
By directly calling these exposed functions through inter-process communication (Binder), an app could:
The vulnerable version of the service is running (pre-patched Android).
### Exploit Steps (Pseudocode/Java)
// A malicious app could use reflection or direct Binder IPC
// Here's a simplified Java-style pseudocode:
Intent exploitIntent = new Intent();
exploitIntent.setComponent(new ComponentName(
"android",
"android.companion.CompanionDeviceManagerService"
));
// Build a fake AssociationRequest
AssociationRequest request = new AssociationRequest.Builder()
.addDeviceFilter(myEvilDeviceFilter)
.build();
// Bind and invoke the privileged function
service.associate(request, evilCallback, getPackageName());
No special permissions or user actions are needed; the exploit is as simple as making a method call.
Local escalation of privilege: An unprivileged app suddenly has new powers.
- Privacy invasion: The attacker could pair with or control devices like smartwatches, extract data, or send notifications.
Original References and Sources
- Google AOSP Issue Tracker: CVE-2024-49732
- NVD - CVE-2024-49732
- Android Security Bulletin June 2024
How To Protect Yourself
- Update your device: Google has released patches to fix this bug in June 2024. Make sure your system is up-to-date.
- Check app permissions: Avoid apps from unknown sources, especially those asking for device associations.
Conclusion
CVE-2024-49732 is a stark reminder that even small missing checks in system services can lead to serious security breaches. Android users are protected if they have the June 2024 security update or later, but devices left behind on older software are at risk.
Patch, monitor, and stay aware!
*Want more technical details or code samples? Explore the AOSP source diff for the official fix.*
Timeline
Published on: 01/21/2025 23:15:14 UTC
Last modified on: 01/22/2025 18:15:19 UTC