CVE-2021-39794
📋 TL;DR
This vulnerability allows malicious apps to execute code with shell user privileges when wireless debugging is enabled on Android devices, due to a missing permission check in the AdbService. It affects Android 11, 12, and 12L devices where wireless debugging is enabled. User interaction is required for exploitation, making it a local privilege escalation vulnerability.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise where attacker gains shell user privileges, potentially leading to data theft, persistence installation, or further privilege escalation to root.
Likely Case
Malicious app gains elevated privileges to access sensitive data, modify system settings, or install additional malware without user knowledge.
If Mitigated
Limited impact if wireless debugging is disabled or device is patched, with standard app sandboxing preventing broader system compromise.
🎯 Exploit Status
Exploitation requires user to install and run a malicious app. The vulnerability is well-documented in Android security bulletins.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Bulletin April 2022 or later
Vendor Advisory: https://source.android.com/security/bulletin/2022-04-01
Restart Required: Yes
Instructions:
1. Check for system updates in Settings > System > System update. 2. Install the April 2022 or later Android security update. 3. Restart device after installation.
🔧 Temporary Workarounds
Disable Wireless Debugging
androidTurn off wireless debugging feature to prevent exploitation
Settings > Developer options > Wireless debugging > Toggle OFF
Disable Developer Options
androidCompletely disable developer options if not needed
Settings > System > Developer options > Toggle OFF
🧯 If You Can't Patch
- Disable wireless debugging in developer options
- Only install apps from trusted sources like Google Play Store
🔍 How to Verify
Check if Vulnerable:
Check Android version in Settings > About phone > Android version. If version is 11, 12, or 12L and wireless debugging is enabled, device may be vulnerable.Check Version:
adb shell getprop ro.build.version.releaseVerify Fix Applied:
Verify Android security patch level is April 2022 or later in Settings > About phone > Android security update.📡 Detection & Monitoring
Log Indicators:
- Unexpected shell user processes
- AdbService broadcastPortInfo calls without proper permissions
Network Indicators:
- Wireless ADB connections from unexpected sources
SIEM Query:
process.name: "sh" AND user.name: "shell" AND parent.process.name NOT IN ("adb", "system_server")