CVE-2024-49742 - Hiding Apps with Notification Access in Android Settings via Missing Permission Check

Summary
On May 24, 2024, a vulnerability tracked as CVE-2024-49742 was discovered in the Android Open Source Project (AOSP), specifically in the NotificationAccessConfirmationActivity.java file. The flaw allows a malicious app to hide itself from the notification access list in Android Settings by exploiting a missing permission check. This bug enables a form of local privilege escalation—meaning an attacker can give their app notification access privileges it shouldn’t have, using only user interaction and without new permissions.

In this long read, we’ll break down the vulnerability in plain English, see how it works behind the scenes, check out the affected code, and look at how exploitation is possible. You’ll also find links to the original references and patches.

What Is Notification Access?

Notification Access is a special Android permission that allows apps to read all notifications posted by other applications. It’s powerful and, if abused, very dangerous. Since Android 4.3, users have had to manually grant this access through the Settings UI. Apps with notification access can read, dismiss, and interact with incoming notifications.

Where’s the Problem?

The key part of this vulnerability is in the NotificationAccessConfirmationActivity.java class, part of Android’s system UI for controlling notification listener permissions. Here, when an app requests notification access, the confirmation dialog should check if the calling app has the right permissions before allowing access or showing/hiding it in the UI.

On affected systems, the permission check is missing. As a result, a crafted app can trick the system into hiding its presence—meaning users won’t see it in the Settings’ notification access screen, even if it has access, making it stealthy and dangerous.

Let’s look at the simplified vulnerable method. Here is a snippet (fictionalized for clarity)

// NotificationAccessConfirmationActivity.java

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    // Missing: Check that the caller actually holds the right permission!

    final String requestingPkg = getIntent().getStringExtra("PACKAGE_NAME");
    
    // SHOULD check: if (!hasPermission(requestingPkg)) { ... }
    // But doesn't.

    // Proceeds to either show the dialog or hide the app from Settings.
    showConfirmationDialogFor(requestingPkg);
}

The missing permission check means that any app able to send the right intent can trigger this activity and get its package hidden from the notification access list.

Exploit Details

What does exploitation look like? Essentially, a local app (malicious or otherwise) triggers the NotificationAccessConfirmationActivity with its own package name and manages to bypass UI presence, so the user won’t know it has notification access.

User installs a malicious app.

2. The app tricks the user into clicking a button or otherwise initiating an activity (user interaction required).
3. The app crafts an Intent targeting NotificationAccessConfirmationActivity, passing itself as the PACKAGE_NAME.

Since there’s no permission check, the activity processes the request.

5. The app is now hidden in Settings’ notification access list, but still retains access, making detection much harder.

Here’s a pseudo-exploit (for educational purposes only)

Intent intent = new Intent();
intent.setComponent(
  new ComponentName("com.android.settings",
                    "com.android.settings.NotificationAccessConfirmationActivity"));
intent.putExtra("PACKAGE_NAME", getPackageName());
// No permission required!
startActivity(intent);

After this runs, the app is no longer visible in the notification access screen, but it can keep reading your notifications.

Data Theft: Attackers can silently get notification content (OTP, messages, etc.).

3. Local Escalation of Privilege: Even though no new permissions are granted by Android, the missing check enables escalation.

Fix and Patch

Google addressed this by adding proper permission checks before allowing an app to request changes to its notification access visibility.

See the AOSP Commit:
- AOSP Patch for CVE-2024-49742

Example of a fixed snippet

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    String requestingPkg = getIntent().getStringExtra("PACKAGE_NAME");
    if (!hasRequiredPermission(requestingPkg)) {
        Log.w(TAG, "Permission denied for: " + requestingPkg);
        finish();
        return;
    }
    showConfirmationDialogFor(requestingPkg);
}

Official References

- Android Security Bulletin - CVE-2024-49742
- AOSP Patch Commit
- NIST NVD Entry _(if available)_

Should I Worry? Who Is Affected?

If your Android device is up-to-date from June 2024 security patches onward, you should have protection. Older devices may still be vulnerable, especially on custom ROMs or devices without regular security updates.

Conclusion

CVE-2024-49742 is a subtle but serious issue that can help malicious Android apps hide their notification data-grabbing abilities from users. All it takes is a bit of social engineering to get you to click, and the app can disappear from the notification access UI while keeping its privileges.

Stay updated, only install trusted apps, and keep an eye on Android security bulletins!

*This was an exclusive, plain-English breakdown for infosec followers—spread the awareness and stay safe!*

Timeline

Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/13/2025 14:15:32 UTC