CVE-2024-40657
📋 TL;DR
This vulnerability in Android's Settings app allows a malicious app to disable other users' apps on multi-user devices through a confused deputy attack. It enables local privilege escalation without requiring user interaction or additional permissions. Affects Android devices with multiple user profiles enabled.
💻 Affected Systems
- Android Settings application
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker could disable critical system apps for other users, potentially rendering their profiles unusable or creating denial-of-service conditions across user accounts on shared devices.
Likely Case
Malicious apps could disable competitor apps or security software for other users on the same device, gaining competitive advantage or reducing security posture.
If Mitigated
With proper app sandboxing and permission controls, impact is limited to non-system apps and doesn't affect device owner or primary user.
🎯 Exploit Status
Exploitation requires a malicious app to be installed on the device. No user interaction needed once app is installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: September 2024 Android security patch level or later
Vendor Advisory: https://source.android.com/security/bulletin/2024-09-01
Restart Required: Yes
Instructions:
1. Check for system updates in Settings > System > System update. 2. Install September 2024 or later security patch. 3. Reboot device after installation.
🔧 Temporary Workarounds
Disable multi-user mode
androidPrevents exploitation by removing the multi-user context required for the attack
adb shell pm remove-user <user_id> (for each secondary user)
adb shell settings put global guest_user_enabled 0
Restrict app installations
androidPrevent installation of untrusted apps that could exploit this vulnerability
adb shell settings put secure install_non_market_apps 0
🧯 If You Can't Patch
- Disable multi-user profiles on shared devices
- Implement strict app allowlisting and only install apps from trusted sources
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version. If patch level is before September 2024, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows September 2024 or later. Test multi-user functionality to ensure apps can't be disabled across users.📡 Detection & Monitoring
Log Indicators:
- Unexpected app disable events in system logs
- PackageManager operations from non-owner users affecting other users' apps
Network Indicators:
- None - this is a local attack
SIEM Query:
source="android_system" AND "PackageManager" AND "disable" AND target_user!=current_user