CVE-2024-49744 - Unsafe Deserialization in Android's AccountManagerService Leads to Local Privilege Escalation

In May 2024, Google’s Android Security Team disclosed a vulnerability tracked as CVE-2024-49744. This bug affects the AccountManagerService component—critical for managing user credentials and accounts—present in the Android framework. The issue is significant because it could allow a local attacker to escalate their privileges on a target device without any special permissions, although user interaction is required for successful exploitation.

Let's break down what this means, how the vulnerability works, and what potential attackers might do with it. We'll include code snippets and direct reference links for those who want to dig deeper.

Where's the Bug?

The core of the problem is in the checkKeyIntentParceledCorrectly method inside the AccountManagerService.java file. This method is supposed to make sure that only safe data travels between different apps and the core system by checking how data is packed and unpacked ("parcelled" and "unparceled"). Unfortunately, due to unsafe deserialization, an attacker might bypass these checks and send dangerous data.

Specifically, the service doesn't safely verify the type of objects being deserialized. That gap lets a malicious app sneak in unexpected or malicious objects.

Let's look at a simplified version of the vulnerable code

// AccountManagerService.java

private boolean checkKeyIntentParceledCorrectly(Intent intent) {
    // supposed to check Parcelable objects before using
    Bundle extras = intent.getExtras();
    if (extras != null) {
         Parcelable parcel = extras.getParcelable("key");
         // PROBLEM: No type or safety check before using the deserialized object
         if (parcel instanceof Intent) {
             // do something...
         }
    }
    return true; // incorrectly assumes all is well
}

The inflater here: extras.getParcelable("key") can deserialize any object a malicious app supplies, not just the safe and expected ones.

Reference:
- Google's AOSP reference commit
- Android Security Bulletin (June 2024)

Exploitation Scenario

How could an attacker use this?
A malicious app on the device crafts a special Intent with a malicious Parcelable object. Then, by tricking the user (e.g., through a fake authentication request or social engineering), it gets the system to call the vulnerable method.

What could happen?

Malicious objects are deserialized in a privileged context.

- Attackers get capabilities they shouldn’t have (e.g., access other app’s data, impersonate accounts, or escalate permissions).

Here is a fictional exploit proof-of-concept illustratively

// Malicious Parcelable
public class EvilParcelable implements Parcelable {
    @Override
    public int describeContents() { return ; }

    @Override
    public void writeToParcel(Parcel dest, int flags) {
        // Write evil payload or crafted input
    }

    public static final Parcelable.Creator<EvilParcelable> CREATOR =
        new Parcelable.Creator<EvilParcelable>() {
            public EvilParcelable createFromParcel(Parcel in) {
                // Payload executes here when deserialized!
                executeEvilCode();
                return new EvilParcelable();
            }
            public EvilParcelable[] newArray(int size) { return new EvilParcelable[size]; }
        };
}

The attacker triggers deserialization by sending

Intent intent = new Intent();
Bundle extras = new Bundle();
extras.putParcelable("key", new EvilParcelable());
intent.putExtras(extras);
// send the Intent to the vulnerable AccountManagerService

Protection & Patches

Mitigation:
Android has patched the vulnerability in new security updates by implementing stricter type checking and safer deserialization in their service.

Patch Reference:

AOSP Patch Diff

What Should Users Do?

Update your device to the latest security patch—look for June 2024 or later updates.

- Avoid installing apps from unknown sources, as attacks require a malicious app to be present on your phone.

Summary

- CVE-2024-49744 exposes Android devices to privilege escalation via unsafe deserialization in AccountManagerService.java.
- Local attackers can craft malicious data parcels to abuse system privileges, but user interaction is required.

More Reading

- Android Security Bulletins
- Deserialization Vulnerabilities Explained
- AOSP Patch for CVE-2024-49744 (code diff)

Timeline

Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/18/2025 19:15:45 UTC