CVE-2024-11624
📋 TL;DR
This vulnerability allows malicious apps to bypass VPN restrictions on affected Android devices by exploiting an undeclared permission. It enables local privilege escalation without requiring user interaction or additional execution privileges. This primarily affects Android devices running vulnerable versions, particularly Google Pixel devices.
💻 Affected Systems
- Android
- Google Pixel devices
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Malicious apps could bypass VPN protections to exfiltrate sensitive data, access restricted networks, or perform unauthorized network communications while appearing to be protected by VPN.
Likely Case
Malware or compromised apps could bypass enterprise VPN policies, potentially exposing corporate data or accessing internal resources without proper authorization.
If Mitigated
With proper app vetting and network segmentation, the impact is limited to potential data leakage from individual devices rather than broader network compromise.
🎯 Exploit Status
Requires malicious app installation but no user interaction for exploitation once installed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: December 2024 Android security patch or later
Vendor Advisory: https://source.android.com/security/bulletin/pixel/2024-12-01
Restart Required: No
Instructions:
1. Check for system updates in Settings > System > System update. 2. Install December 2024 security patch or later. 3. Verify patch installation in Settings > About phone > Android version.
🔧 Temporary Workarounds
Restrict app installations
AndroidOnly install apps from trusted sources like Google Play Store and disable unknown sources installation
Settings > Security > Install unknown apps > Disable for all apps
Network segmentation
allImplement network segmentation to limit damage if VPN bypass occurs
🧯 If You Can't Patch
- Implement strict app vetting and allowlisting policies
- Use mobile device management (MDM) solutions to enforce security policies and monitor for suspicious network activity
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version. If patch level is before December 2024, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify Android security patch level shows December 2024 or later in Settings > About phone > Android version.📡 Detection & Monitoring
Log Indicators:
- Unexpected network connections from apps that should be VPN-restricted
- VPN service errors or disconnections
Network Indicators:
- Direct internet connections from devices that should be VPN-tunneled
- Traffic bypassing expected VPN gateways
SIEM Query:
source="android_logs" AND (event="VPN_BYPASS" OR app_network_access="unexpected")