Listen to this Post
This vulnerability exists in the `EditFdnContactScreen` component of the Android framework. The `onActivityResult` method does not properly validate the identity of the calling application (the deputy). A malicious, unprivileged app can craft a specific Intent to call this component. Because the component is confused about who is making the request, it incorrectly executes operations using its own higher privileges. This allows the attacker app to bypass Android’s profile isolation and read contact data from the secured work profile, which it should not have access to, leading to local escalation of privilege without requiring user interaction.
Platform: Android
Version: Framework
Vulnerability: Confused Deputy
Severity: Critical
Date: 2025-12-08
Prediction: 2026-01-15
What Undercode Say:
Check for exported components with intent-filter adb shell dumpsys package | grep -A5 -B5 "EditFdnContactScreen" Example of probing component accessibility am start -n com.android.phone/com.android.phone.EditFdnContactScreen
// Malicious app's code to craft confusing Intent
Intent i = new Intent();
i.setComponent(new ComponentName("com.android.phone", "com.android.phone.EditFdnContactScreen"));
// Set malicious extras to trigger data return
startActivityForResult(i, REQUEST_CODE);
How Exploit:
Malicious app calls exported `EditFdnContactScreen` with crafted Intent. The component processes request using its (phone app) permissions, accesses work profile contacts, and returns data to the attacker app.
Protection from this CVE:
Apply vendor patch. Restrict component export. Implement caller identity verification in onActivityResult. Use `android:permission` attribute.
Impact:
Work profile data leakage. Local privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
