---
Android’s user profile system is essential for privacy and security, but a recently discovered vulnerability—CVE-2025-22428—exposes a pathway for apps to gain unexpected power. Let’s break down what went wrong in the Android source, how an attacker could exploit it, and what developers and users need to know.
Summary of CVE-2025-22428
CVE-2025-22428 is a local privilege escalation vulnerability in Android, specifically within the logic of AppInfoBase.java. This bug makes it possible for an app running on the main (primary) user profile to grant itself powerful permissions under a secondary user profile, all without your knowledge or any extra user actions.
Implications:
Where’s the Problem? A Look at AppInfoBase.java
In Android, each user profile is supposed to work in isolation—a work profile can't mess with a personal one, for example. Apps shouldn’t gain admin-like privileges across those boundaries.
But *AppInfoBase.java* contains a logic bug in its hasInteractAcrossUsersFullPermission() method.
Here’s a simplified example of the vulnerable logic
public boolean hasInteractAcrossUsersFullPermission() {
// ... load the permissions for this app
if ((checkSelfPermission(android.Manifest.permission.INTERACT_ACROSS_USERS_FULL)
== PackageManager.PERMISSION_GRANTED)) {
return true;
}
// Here’s where things go wrong:
if (this.userId == UserHandle.USER_SYSTEM) {
// This logic wrongly trusts permissions from the primary user
return true;
}
return false;
}
The problem?
If the code is running in the primary user context, it skips the permission check and returns true—granting the app "INTERACT_ACROSS_USERS_FULL" even for actions on other users' spaces!
An attacker’s app is installed on the primary user profile.
2. The app calls a system function (protected by INTERACT_ACROSS_USERS_FULL) intended to do things like list all users or send broadcasts to other user spaces.
Because of the logic bug, any permission check for cross-user interaction wrongly returns true.
4. The app performs privileged actions (like modifying or spying on secondary user apps, data, or settings), even though it never asked for special permissions!
Simplified POC Code
UserManager um = (UserManager) context.getSystemService(Context.USER_SERVICE);
List<UserHandle> users = um.getUserProfiles();
for (UserHandle user : users) {
// This normally requires special permission!
context.sendBroadcastAsUser(new Intent("android.intent.action.SECRET_ACTION"), user);
}
*In a secure system, the above code should fail for users other than the app’s current profile. Because of CVE-2025-22428, it works across profiles.*
Severity: HIGH. Attackers get control over user boundaries.
- Effort: LOW. No user trickery or exploits—just call the affected API from primary user profile.
Mitigation & Fixes
- AOSP and vendors have released patches correcting the method to *not* trust primary user context blindly.
Update your device as soon as security updates are available!
- Enterprise admins: Pay attention to shared/work profile device updates.
Official Android patch:
Android Security advisories:
https://source.android.com/security/bulletin
CVE record:
https://cve.org/CVERecord?id=CVE-2025-22428
Developers: Don’t count on user profile separation if you’re below the patched release.
- Security Teams: Monitor for suspicious cross-user activity if your fleet uses Android multi-user features.
CVE-2025-22428 is one of those classic "simple logic bug, big security impact" vulnerabilities. Patch up, stay sharp, and share this with your fellow users and admins!
Timeline
Published on: 09/02/2025 23:15:34 UTC
Last modified on: 09/04/2025 16:39:12 UTC