CVE-2021-39734
📋 TL;DR
This vulnerability in Android's RCS messaging system allows local attackers to send messages without proper permissions due to a missing permission check in OneToOneChatImpl.java. It enables local privilege escalation without requiring user interaction or additional execution privileges. Affects Android devices with vulnerable kernel versions.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker with local access could escalate privileges to send RCS messages impersonating the user, potentially enabling phishing, data exfiltration, or unauthorized communication.
Likely Case
Malicious apps could abuse this to send messages without user consent, potentially for spam, phishing, or unauthorized data transmission.
If Mitigated
With proper patching, the permission check is enforced, preventing unauthorized message sending and maintaining proper app sandboxing.
🎯 Exploit Status
Exploitation requires local access to the device, likely through a malicious app. No public exploit code is known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: March 2022 Android security patch level
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2022-03-01
Restart Required: Yes
Instructions:
1. Check for system updates in Settings > System > System update. 2. Install March 2022 Android security patch. 3. Reboot device after installation.
🔧 Temporary Workarounds
Disable RCS messaging
androidTemporarily disable Rich Communication Services to mitigate the vulnerability
Open Messages app > Settings > Chat features > Toggle 'Enable chat features' OFF
Restrict app permissions
androidReview and restrict SMS/messaging permissions for untrusted apps
Settings > Apps > [App Name] > Permissions > Deny SMS permissions
🧯 If You Can't Patch
- Isolate vulnerable devices from sensitive networks and data
- Implement application allowlisting to prevent installation of untrusted apps
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android security patch level. If before March 2022, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows 'March 5, 2022' or later in Settings > About phone > Android security patch level.📡 Detection & Monitoring
Log Indicators:
- Unexpected RCS message sending events in system logs
- Permission denial logs for messaging operations
Network Indicators:
- Unusual RCS traffic patterns from unexpected apps
SIEM Query:
source="android_system" AND (event="permission_denied" AND component="messaging") OR (event="rcs_message_sent" AND app NOT IN ["trusted_messaging_apps"])