CVE-2025-32349
📋 TL;DR
This CVE describes a tapjacking/overlay vulnerability in Android that allows malicious apps to draw over legitimate apps and intercept user taps, potentially granting unauthorized permissions or actions. It affects Android devices and can be exploited without user interaction, leading to local privilege escalation.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains full control over the device by tricking users into granting permissions or performing actions that escalate privileges to system-level access.
Likely Case
Malicious apps steal sensitive data, install additional malware, or perform unauthorized transactions by overlaying legitimate banking or authentication apps.
If Mitigated
With proper security controls like app verification and overlay permission restrictions, the attack surface is reduced, though some risk remains from sideloaded apps.
🎯 Exploit Status
Exploitation requires a malicious app to be installed on the device, but no user interaction is needed once installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: September 2025 Android Security Patch Level or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-09-01
Restart Required: Yes
Instructions:
1. Check for system updates in Settings > System > System update. 2. Apply the September 2025 security patch. 3. Restart the device after installation.
🔧 Temporary Workarounds
Disable overlay permissions for untrusted apps
androidPrevent apps from drawing over other apps by revoking SYSTEM_ALERT_WINDOW permission
Settings > Apps > [App Name] > Advanced > Draw over other apps > Don't allow
Enable Google Play Protect
androidUse built-in malware scanning to detect and block malicious apps
Settings > Security > Google Play Protect > Scan device for security threats
🧯 If You Can't Patch
- Restrict app installations to Google Play Store only and disable unknown sources
- Implement mobile device management (MDM) policies to control app permissions and monitor for overlay attacks
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version > Security patch level. If before September 2025, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Confirm security patch level shows 'September 5, 2025' or later in Settings > About phone.📡 Detection & Monitoring
Log Indicators:
- Unusual SYSTEM_ALERT_WINDOW permission grants in app installation logs
- Multiple overlay window creation events from single app
Network Indicators:
- None (local attack only)
SIEM Query:
source="android_logs" AND (event="SYSTEM_ALERT_WINDOW_granted" OR event="overlay_window_created")