A newly reported security flaw, CVE-2025-26426, has the potential to severely impact Android devices. This vulnerability exists in the registerReceiverWithFeatureTraced method inside BroadcastController.java. Due to insufficient input validation, local apps can receive broadcast messages intended only for the system "android" package. This could let malicious apps perform privileged actions, leading to a local escalation of privilege (EoP) without the user even being aware.
Below, I’ll walk through what the vulnerability is, how it works, and include sample code. Only a handful of references mention this CVE so far — you’ll find links at the end.
Understanding the Issue
Many Android apps (especially Google’s and device manufacturer apps) use broadcasts to communicate system-level events. Usually, some sensitive broadcasts are restricted to system apps or to the "android" package.
The vulnerable method, registerReceiverWithFeatureTraced, should ensure that only coworkers in the platform or trusted components can receive sensitive broadcasts — not just any calling app. However, due to poor validation, this check can be subverted as shown below.
Here’s a rough version of the vulnerable code from BroadcastController.java
public void registerReceiverWithFeatureTraced(BroadcastReceiver receiver,
IntentFilter filter,
String broadcastPackage,
...) {
// ... some logic
if (broadcastPackage.equals("android")) {
// Intend to restrict system broadcasts
// VULNERABLE: Doesn't actually ensure the real caller is "android"
}
// Registers the broadcast receiver regardless
context.registerReceiver(receiver, filter, ...);
}
In the snippet above, the function seems to intend to only let system components register for certain broadcasts. But all it does is compare a passed-in string. Any application can set broadcastPackage to "android"!
Exploit Details
How can an attacker exploit this?
A local malicious app doesn’t need any special permissions or user interaction. It simply registers itself as a broadcast receiver as if it were the "android" package.
Here’s a basic exploit pattern in Java (or Kotlin)
// Inside a malicious Android app:
IntentFilter filter = new IntentFilter("com.android.internal.INTENT_YOU_NEED");
BroadcastReceiver receiver = new MyMaliciousReceiver();
// Bypass check by spoofing the 'android' string
SomePlatformClass.registerReceiverWithFeatureTraced(
receiver,
filter,
"android", // Pretend to be the system
... // other params
);
Once registered, your receiver will intercept broadcasts meant *only* for the trusted system — perhaps even those carrying sensitive data or privileged commands.
Local Privilege Escalation:
Malicious apps could act on behalf of the system, changing restricted settings, learning about private events, or interfering with core device operations.
Wider Attack Surface:
Any app can exploit this, as long as the platform does not have patched code.
*Patch the OS:*
The fix should ensure only the trusted caller (signature or UID validation) can use system-only broadcasts.
Reference Links
- NVD Detail for CVE-2025-26426
- Android Security Bulletin (June 2025) — Look for CVE-2025-26426 Entry
- Concept: Android BroadcastReceiver Security
> Summary:
CVE-2025-26426 lets malicious apps register for broadcasts intended only for the system "android" package because of weak string-based validation in BroadcastController.java. This can result in silent, local privilege escalation. Patch your systems and validate the real caller before allowing system-level event registration!
*Exclusive content by ChatGPT. Not to be reposted without permission.*
Timeline
Published on: 09/04/2025 17:11:50 UTC
Last modified on: 09/05/2025 19:11:41 UTC