CVE-2025-48529
📋 TL;DR
This vulnerability allows a malicious app to access voicemail notification settings from other user profiles on the same Android device without requiring user interaction. It affects Android devices with multiple user profiles enabled. The attacker needs local access but no special permissions.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker could access sensitive voicemail notification data from other user profiles, potentially revealing contact information, voicemail metadata, or other personal data stored in voicemail settings.
Likely Case
Limited information disclosure of voicemail notification preferences and associated metadata between user profiles on shared devices.
If Mitigated
No data leakage occurs between user profiles due to proper permission checks and user isolation.
🎯 Exploit Status
Requires a malicious app to be installed on the device. No user interaction needed for exploitation once installed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: September 2025 Android Security Patch or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-09-01
Restart Required: No
Instructions:
1. Check for system updates in Settings > System > System update
2. Install the September 2025 Android Security Patch or later
3. No restart required, but recommended
🔧 Temporary Workarounds
Disable multiple user profiles
AndroidRemove additional user profiles to eliminate the cross-user attack surface
Settings > System > Multiple users > Remove additional users
Restrict app installations
AndroidOnly install apps from trusted sources like Google Play Store
Settings > Security > Install unknown apps > Disable for all apps
🧯 If You Can't Patch
- Isolate sensitive user profiles from general use profiles
- Implement mobile device management (MDM) to control app installations
🔍 How to Verify
Check if Vulnerable:
Check Android version and security patch level in Settings > About phone > Android versionCheck Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows 'September 5, 2025' or later in Settings > About phone > Android version📡 Detection & Monitoring
Log Indicators:
- Unusual access to voicemail settings APIs from non-system apps
- Cross-user permission violations in system logs
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="android_system_logs" AND ("VoicemailNotificationSettingsUtil" OR "setRingtoneUri") AND "permission denied"