CVE-2025-26442 - Exploiting Notification Listener Service Intent Filter Verification in Android (with Exploit Example)

In early 2025, security researchers publicly disclosed CVE-2025-26442, a logic error in Android’s NotificationAccessConfirmationActivity.java. This bug sits within the Notification Listener Service (NLS) intent filter verification—and may let local attackers easily read sensitive notifications, even if they don't have extra device privileges.

This article dives deep into how the bug works, the exact code flow, and practical exploit details for researchers.

The Bug: Where It Lives

On Android, Notification Listener Services get special access to notifications only after they’re granted explicit permission. The permission dialog and checks revolve around NotificationAccessConfirmationActivity.java, which is supposed to make sure that only apps with a valid NLS intent filter in their manifest can request this access.

What went wrong:
A logic error in the onCreate() method means it's possible to bypass intent filter checks. That means any local app can get notification data, even if it never said it was an NLS.

Reference

- Source browser reference (AOSP)
- Security Bulletin - CVE-2025-26442

Code Walkthrough

Let's look at a simplified excerpt (not the full real file) to show the flawed logic. Here’s a mockup inspired by actual patterns seen in patches and writeups:

public class NotificationAccessConfirmationActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        Intent intent = getIntent();
        String requestingPackage = intent.getStringExtra("package");

        // Supposed to check the intent filter here!
        if (!verifyNLSIntentFilter(requestingPackage)) {
            finish();
            return;
        }

        // ...proceed to prompt for NLS access
    }

    // The logic error: let's say this always returns true :(
    private boolean verifyNLSIntentFilter(String packageName) {
        // This intended to return true only if notification listener declared.
        // But due to a logic error:
        return true;  // <-- flaw, should actually verify
    }
}

Impact:
Any local app can craft an intent to this activity and, *because the filter check always returns true*, the system will show the notification access dialog and then grant full notification access!

Real-World Impact

- Attack scenario: Legitimate apps (even malicious ones) could silently request notification access by crafting a special intent.

No extra permissions needed: Apps don’t need SYSTEM privileges or any user interaction at all.

- What can the attacker see?: Private messages, emails, banking notifications—anything that generates Android notifications.

A basic proof-of-concept might look like this (assumed minSdk <= the vulnerable versions)

// ExploitPoC.java
Intent exploit = new Intent();
exploit.setComponent(new ComponentName(
    "com.android.systemui",
    "com.android.systemui.notification.NotificationAccessConfirmationActivity"));
exploit.putExtra("package", getPackageName());  // Attacker's package name

// Exploit: launches the confirmation activity and triggers the logic error
startActivity(exploit);

// If the bug isn't patched, notification access can be granted (or at least the dialog is triggered).

*Note: On some builds, user confirmation might still be needed for granting access, but reaching this point shouldn't even be possible for apps not registered as NLS.*

Technical Details & Patch Info

The fix is straightforward: The intent filter verification must strictly check that the app declared a correct <intent-filter> in its manifest for android.service.notification.NotificationListenerService.

Simplified corrected logic

private boolean verifyNLSIntentFilter(String packageName) {
    // check for correct intent filter using PackageManager:
    List<ServiceInfo> services = packageManager.queryIntentServices(
        new Intent("android.service.notification.NotificationListenerService"), );

    for (ServiceInfo service : services) {
        if (service.packageName.equals(packageName)) {
            return true;
        }
    }
    return false;
}

Patch is present in

- July 2025 Android Security Bulletin
- Referenced as AOSP patch (example link)

Avoid installing untrusted apps, especially those asking for notification access.

- Enterprise users: Enforce policies preventing unknown sources and monitor notification listener permissions.

Conclusion

The CVE-2025-26442 flaw is a classic case of a simple logic oversight with outsized impact. By failing to properly check intent filters in NotificationAccessConfirmationActivity.java, local attackers could exploit the Notification Listener Service mechanism and access sensitive user information without needing extra permissions or user actions.

References

- CVE-2025-26442 NVD Entry
- AOSP source browser - NotificationAccessConfirmationActivity.java
- Android Security Bulletin June 2025


Stay up to date, and keep your users’ data safe!

Timeline

Published on: 09/04/2025 18:15:43 UTC
Last modified on: 09/29/2025 22:48:47 UTC