CVE-2025-48528
📋 TL;DR
This CVE describes a tapjacking/overlay vulnerability in Android's biometric authentication system that allows attackers to overlay legitimate biometric prompts with malicious ones. This could lead to local privilege escalation without requiring user interaction or additional execution privileges. The vulnerability affects Android devices with biometric authentication enabled.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker could bypass biometric authentication entirely, gaining unauthorized access to sensitive applications and data protected by biometric locks.
Likely Case
Attackers could trick users into authenticating malicious overlays, potentially granting access to specific apps or functions without proper authorization.
If Mitigated
With proper security controls and user awareness, the risk is reduced to occasional successful attacks requiring physical device access.
🎯 Exploit Status
Exploitation requires physical access to the device or malware already installed on the device. No user interaction needed for successful exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android September 2025 security patch or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-09-01
Restart Required: No
Instructions:
1. Check for system updates in Settings > System > System update. 2. Install the September 2025 Android security patch or later. 3. Verify the patch is applied by checking the security patch level in Settings > About phone > Android version.
🔧 Temporary Workarounds
Disable biometric authentication
allTemporarily disable biometric authentication methods until the patch can be applied
Enable screen pinning
allUse screen pinning to prevent unauthorized app switching and overlay attacks
🧯 If You Can't Patch
- Implement strict physical security controls for devices
- Use alternative authentication methods (PIN/pattern) instead of biometrics
🔍 How to Verify
Check if Vulnerable:
Check if the security patch level is earlier than September 2025 in Settings > About phone > Android versionCheck Version:
Settings > About phone > Android version > Security patch levelVerify Fix Applied:
Verify the security patch level shows September 2025 or later in Settings > About phone > Android version📡 Detection & Monitoring
Log Indicators:
- Multiple biometric authentication attempts in rapid succession
- Unusual app overlay permissions being granted
Network Indicators:
- No network indicators as this is a local attack
SIEM Query:
No applicable SIEM query as this is a local device vulnerability