CVE-2021-0388
📋 TL;DR
This vulnerability in Android's IMS phone call tracking system allows misattribution of video call data usage to incorrect applications. It enables local privilege escalation without requiring user interaction or additional execution privileges. Only Android 11 devices are affected.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Malicious app could attribute its own data usage to legitimate apps, potentially causing those apps to exceed data caps or incur charges, while hiding the malicious app's activity.
Likely Case
Data usage attribution errors causing incorrect billing or app data usage reporting, potentially leading to app suspension for legitimate apps.
If Mitigated
Minor data reporting inaccuracies with no security impact if proper app isolation and monitoring are in place.
🎯 Exploit Status
Requires developing a malicious Android app that exploits the broadcast handler vulnerability. No user interaction needed once app is installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Patch Level 2021-03-01 or later
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2021-03-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > Advanced > System update. 2. Install the March 2021 security patch or later. 3. Restart the device after installation.
🔧 Temporary Workarounds
Restrict app installations
androidOnly allow installation of apps from trusted sources like Google Play Store and disable unknown sources.
adb shell settings put secure install_non_market_apps 0
Monitor app permissions
androidReview and restrict app permissions, especially for apps requesting phone/telephony permissions.
🧯 If You Can't Patch
- Implement mobile device management (MDM) to control app installations and monitor for suspicious apps
- Use network monitoring to track data usage by app and look for attribution anomalies
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If it shows Android 11 and security patch level is before March 2021, device is vulnerable.Check Version:
adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify Android version is 11 and security patch level is 2021-03-01 or later in Settings > About phone > Android security patch level.📡 Detection & Monitoring
Log Indicators:
- Unusual data usage attribution in system logs
- IMS service broadcast handling errors
Network Indicators:
- Discrepancies between app-reported data usage and actual network traffic
SIEM Query:
source="android_system" AND (event="ims_broadcast" OR event="data_attribution") AND severity=ERROR