-
Status: Completed.
-
Description: In PackageInstaller there is a possible bypass of the unknown source warning due to a confused deputy scenario. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
-
Type: EoP
-
Severity: High
-
Links:
-
Exploit: Use a spoofed sessionId to install an app acting like a priviledged source.
-
Patch: For Android 7.0 and newer the apk must be supplied through a FileProvider, which can't be accessed through Virtualapp because the UID is not the owner