CVE-2021-0550
📋 TL;DR
This vulnerability allows malicious apps to gain WRITE_EXTERNAL_STORAGE permissions without user consent through a confused deputy attack in Android's AnnotateActivity component. It enables local privilege escalation on Android 11 devices without requiring additional execution privileges. Only Android 11 devices with the vulnerable component are affected.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Malicious app gains unauthorized write access to external storage, potentially allowing data theft, modification of critical files, or planting of malicious content that could compromise device integrity.
Likely Case
Malicious app writes files to external storage without user knowledge, potentially exfiltrating sensitive data or preparing for further attacks.
If Mitigated
With proper Android security updates, the vulnerability is eliminated and no unauthorized access occurs.
🎯 Exploit Status
Requires a malicious app to be installed on the device. No user interaction needed for exploitation once the app is installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Patch Level 2021-06-01 or later
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2021-06-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > Advanced > System update. 2. Install the June 2021 security patch or later. 3. Reboot the device after installation.
🔧 Temporary Workarounds
Disable or restrict AnnotateActivity
androidDisable the vulnerable component if not needed, though this may break functionality in apps that use annotation features.
adb shell pm disable-user --user 0 com.android.documentsui
🧯 If You Can't Patch
- Restrict installation of unknown apps and only use trusted app sources like Google Play Store
- Implement mobile device management (MDM) policies to control app installations and monitor for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If it shows Android 11 and security patch level is before June 2021, device is vulnerable.Check Version:
adb shell getprop ro.build.version.release && adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify Android version is 11 and security patch level is 2021-06-01 or later in Settings > About phone > Android version.📡 Detection & Monitoring
Log Indicators:
- Unusual file write operations to external storage by apps without WRITE_EXTERNAL_STORAGE permissions
- AnnotateActivity component being invoked unexpectedly
Network Indicators:
- Not applicable - this is a local privilege escalation vulnerability
SIEM Query:
Not applicable for typical SIEM systems as this is a mobile device vulnerability