CVE-2025-26436 - Exploiting Background Activity Launch (BAL) Bypass in Android’s clearAllowBgActivityStarts
CVE-2025-26436 is a critical Android vulnerability that allows apps to launch activities from the background without user interaction, bypassing security checks intended to block such behavior (known as BAL or Background Activity Launch). This bug lies within the clearAllowBgActivityStarts() function in PendingIntentRecord.java, impacting the trusted component used to start Activities from different app contexts.
What’s the Issue?
Android has strict rules to prevent apps from launching Activities (like popups or new windows) while running in the background. This is to keep users from being tricked or interrupted. The core of this rule: background apps shouldn’t be able to push interfaces to the foreground and steal attention, data, or permissions.
But in Android’s code, the logic in PendingIntentRecord.java (which manages pending intents—bundles of work that apps schedule for the system or other apps to do for them) had a flaw. The clearAllowBgActivityStarts() method failed to properly revoke permission for background activity launches under certain conditions. Crafty apps could exploit this to “pop up” an Activity at any time, even when they shouldn’t have been able to.
Why Does It Matter?
- Privilege Escalation: Malicious apps can trick users or display sensitive permissions requests out of the blue, without user action.
Vulnerable Code Path: A Closer Look
Here’s a simplified view of the relevant method from AOSP’s PendingIntentRecord.java:
void clearAllowBgActivityStarts() {
// This should revoke the BAL allowance,
// but due to a misplaced check, it can be bypassed
mAllowBgActivityStarts = false;
}
The issue is less about this specific line, and more about logic elsewhere in the file, where mAllowBgActivityStarts might inadvertently remain true under a weird sequence of activity launches and pending intent invocations. Specifically, an app can craft a PendingIntent that “survives” the clearing process and gets reused to launch an activity from the background.
How Is It Exploited? Example Steps
Let’s see what an exploit could look like, in basic Android code.
The attacker app creates a PendingIntent for an Activity (say, PhishingActivity)
Intent intent = new Intent(context, PhishingActivity.class);
PendingIntent pendingIntent = PendingIntent.getActivity(
context,
,
intent,
PendingIntent.FLAG_UPDATE_CURRENT
);
Step 2: Abuse clearAllowBgActivityStarts() Logic
The app can invoke the pending intent while *technically* cleared for background launching (for example, after a notification click). Because of the flaw, some PendingIntents can “retain” the privilege, even after clearAllowBgActivityStarts() is called.
Step 3: Launch Activity From Background Without User Interaction
// Delayed, possibly after entering background
pendingIntent.send();
The exploit works even when the app is in the background and shouldn’t be able to launch Activities.
Result: The malicious Activity pops up suddenly, possibly phishing or tricking the user.
Reference Links
- Android Security Bulletin — June 2025, listing CVE-2025-26436
- AOSP source for PendingIntentRecord.java
- Android documentation: PendingIntent
Fix & Mitigation
The Android patch enforces better checks whenever clearAllowBgActivityStarts() is called. PendingIntent now *definitely* clears privilege for all intents, not just in certain states.
- Users: Update your Android device as soon as patches roll out (look for security patch level June 2025 or later).
Conclusion
CVE-2025-26436 is a powerful reminder that small logic bugs in privileged Android code can punch big holes in user security. Even careful systems like PendingIntent can fall prey to subtle state errors. Always apply OS updates, and don’t trust apps that pop up without reason!
For full technical breakdowns and patch history, check out the official Android Security Bulletin and source links above. Stay safe!
Timeline
Published on: 09/04/2025 18:15:42 UTC
Last modified on: 09/29/2025 22:48:26 UTC