Login Sign Up

CVE-2024-49744

7.8 HIGH
Deserialization

📋 TL;DR

This vulnerability in Android's AccountManagerService allows local attackers to bypass parcel mismatch mitigations through unsafe deserialization, potentially leading to privilege escalation. User interaction is required for exploitation. Affects Android devices with vulnerable versions of the AccountManagerService component.

💻 Affected Systems

Products:
  • Android
Versions: Android versions prior to January 2025 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with vulnerable AccountManagerService implementation. User interaction required for exploitation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains elevated system privileges, potentially compromising device integrity and accessing sensitive user data.

🟠

Likely Case

Malicious app exploits user interaction to gain additional permissions beyond its initial scope.

🟢

If Mitigated

With proper app sandboxing and minimal permissions, impact limited to app's sandbox.

🌐 Internet-Facing: LOW - Requires local access and user interaction, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Could be exploited by malicious apps or users with physical/network access to device.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires user interaction and local access. Exploit involves crafting malicious intents to trigger unsafe deserialization.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: January 2025 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2025-01-01

Restart Required: No

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Apply January 2025 security patch or later. 3. Verify patch installation in Settings > About phone > Android security patch level.

🔧 Temporary Workarounds

Restrict app installations

all

Only install apps from trusted sources like Google Play Store

Minimize app permissions

all

Review and restrict app permissions in Settings > Apps

🧯 If You Can't Patch

  • Isolate vulnerable devices from sensitive networks and data
  • Implement mobile device management (MDM) with strict app control policies

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android security patch level. If earlier than January 2025, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows January 2025 or later date.

📡 Detection & Monitoring

Log Indicators:

  • Unusual AccountManagerService errors
  • Permission escalation attempts in system logs

Network Indicators:

  • Not applicable - local exploitation only

SIEM Query:

Not applicable for typical SIEM monitoring of mobile devices

📊 Metadata

CVE ID: CVE-2024-49744
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276
EPSS Score: 0.01% exploit probability (0.5th percentile)
Published: January 21, 2025
Last Updated: April 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49744, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)