CVE-2022-24931
📋 TL;DR
This vulnerability allows unauthorized attackers to execute arbitrary activities through Samsung's ApkInstaller dynamic receiver without proper permissions. It affects Samsung devices running Android with ApkInstaller prior to the March 2022 security update. Attackers can potentially install malicious apps or perform unauthorized actions.
💻 Affected Systems
- Samsung Android devices with ApkInstaller
📦 What is this software?
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise allowing installation of malicious apps, data theft, or ransomware deployment without user interaction.
Likely Case
Silent installation of adware, spyware, or credential-stealing applications that appear legitimate to users.
If Mitigated
No impact if patched; otherwise, standard Android permissions would still apply to installed apps.
🎯 Exploit Status
Requires malicious app to already be installed or user to interact with malicious content. Exploitation involves crafting specific intents to the vulnerable receiver.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SMR MAR-2022 Release or later
Vendor Advisory: https://security.samsungmobile.com/securityUpdate.smsb?year=2022&month=3
Restart Required: Yes
Instructions:
1. Go to Settings > Software update > Download and install. 2. Apply March 2022 or later security update. 3. Restart device after update completes.
🔧 Temporary Workarounds
Disable unknown sources
androidPrevent installation from unknown sources to reduce attack surface
Settings > Security > Install unknown apps > Disable for all apps
Use Samsung Knox
androidEnterprise devices can use Knox policies to restrict app installations
Configure via Knox admin portal or MDM
🧯 If You Can't Patch
- Restrict app installations to Google Play Store only
- Deploy mobile threat defense solution to detect malicious apps
🔍 How to Verify
Check if Vulnerable:
Check Settings > About phone > Software information > Android security patch level. If before March 2022, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify Android security patch level shows March 2022 or later. Check ApkInstaller version in app settings if visible.📡 Detection & Monitoring
Log Indicators:
- Unexpected intents to com.sec.android.app.parser.APKParserReceiver
- Silent APK installation attempts
- Package installer activity from unexpected sources
Network Indicators:
- Downloads of APK files from untrusted sources
- C2 communication from newly installed apps
SIEM Query:
source="android_logs" AND (event="package_install" AND source_package!="com.android.vending")