CVE-2021-0963
📋 TL;DR
This Android vulnerability allows malicious apps to trick users into granting certificate access via tapjacking/overlay attacks. Attackers can use this to escalate privileges locally without needing additional permissions. Affects Android 9 through 12 users who install malicious apps.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Attacker gains access to app certificates stored in Android KeyChain, potentially compromising secure communications, authentication tokens, or encrypted data.
Likely Case
Malicious app steals certificates from other installed apps, enabling man-in-the-middle attacks or impersonation of legitimate applications.
If Mitigated
With proper user awareness and app vetting, exploitation requires user interaction and specific app permissions, reducing successful attacks.
🎯 Exploit Status
Exploitation requires user to install malicious app and interact with overlay. No public exploit code available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Bulletin December 2021 patches
Vendor Advisory: https://source.android.com/security/bulletin/2021-12-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Install December 2021 security patch or later. 3. Reboot device after installation.
🔧 Temporary Workarounds
Disable overlay permissions for untrusted apps
androidPrevent apps from drawing over other apps in settings
Settings > Apps > [App Name] > Advanced > Draw over other apps > Disable
Enable Google Play Protect
androidUse built-in malware scanning for app installations
Settings > Security > Google Play Protect > Scan device for security threats
🧯 If You Can't Patch
- Only install apps from official Google Play Store with good reputation
- Regularly review app permissions and disable 'draw over other apps' for non-essential applications
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If version is 9-12 without December 2021 patches, device is vulnerable.Check Version:
Settings > About phone > Android versionVerify Fix Applied:
Verify Android security patch level is December 2021 or later in Settings > About phone > Android security patch level.📡 Detection & Monitoring
Log Indicators:
- Multiple KeyChain access attempts from same app
- Overlay permission abuse logs
Network Indicators:
- Unexpected certificate validation failures
- SSL/TLS handshake anomalies
SIEM Query:
app:android AND event:permission_grant AND permission:SYSTEM_ALERT_WINDOW AND resource:KeyChain