7 Android & Pixel Vulnerabilities Exposed: Researcher Publishes PoC Exploits

Oversecured, a renowned cybersecurity firm, has unearthed seven vulnerabilities within the Android operating system and Google Pixel devices. Two of these vulnerabilities specifically endangered Google Pixel users, while the remaining five posed a threat to all Android devices, irrespective of the manufacturer.

For Google Pixel users, the report highlights vulnerabilities that allow unauthorized applications to access geolocation data and bypass VPN protections. The former, identified as CVE-2024-0017, exploits improper geolocation permissions in the Android Camera app, enabling attackers to extract the location metadata from user photos. According to the report, the Camera app’s LegacyLocationProvider handler mistakenly passes geolocation data to unprivileged applications under specific conditions.

Another vulnerability, CVE-2023-21383, exploits undeclared permissions in the Android Settings app, allowing attackers to add apps to the VPN bypass list. This flaw presents significant risks by potentially exposing sensitive data traffic outside secured VPN tunnels.

Image: Oversecured

The remaining vulnerabilities pose threats to all Android devices, regardless of the manufacturer. Key issues include:

• WebView File Theft: Misconfigured default settings in WebChromeClient.FileChooserParams enable attackers to intercept file-sharing intents, leading to unauthorized data access.
• Bluetooth Exploitation: An incorrect permission check in Bluetooth APIs (CVE-2024-34719) allows malicious applications to gain privileged system-level access to Bluetooth features.
• HTML Injection on Device Admin Screens: A long-standing vulnerability (CVE-2021-0600) in the Device Admin request screen permits attackers to inject malicious HTML elements into administrative prompts.
• Content Provider Security Bypass: The method ContentProvider.openFile() bypasses internal security checks, enabling attackers to gain unauthorized access to protected application components.

One vulnerability, CVE-2023-20963, exploited “in the wild” by the Pinduoduo app, the developer of the Temu app, enabled attackers to access arbitrary components on behalf of the Android system. The report notes that this exploitation occurred for nearly a year before it was patched in 2023.

The researcher has published technical details and proof-of-concept exploit code for all these vulnerabilities.

All identified vulnerabilities have been addressed through patches, with fixes rolled out between late 2023 and 2024. Users are strongly advised to install the latest security updates or consider alternative tools if these vulnerabilities compromise critical workflows.

Related Posts:

• Google Pixel Phones Exposed: Millions at Risk Due to Pre-Installed App Vulnerability
• Google opens Pixel Visual Core camera optimization technology to third-party apps
• Google Pushes January Android Security Patch for Pixel and Nexus Devices
• Google Announces Android Security Bulletin April 2018: over 60 flaws was patched