CVE-2025-48555
📋 TL;DR
This vulnerability allows malicious apps to access sensitive information from other user profiles on Android devices through a confused deputy attack in NotificationStation. It affects Android devices with multiple user profiles enabled, requiring no user interaction for exploitation.
💻 Affected Systems
- Android Settings app
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains access to sensitive data from other user profiles including personal information, messages, and authentication tokens, potentially leading to full account compromise across profiles.
Likely Case
Malicious apps exfiltrate limited cross-profile data such as notification content, contact information, or app-specific data from other profiles.
If Mitigated
With proper app sandboxing and profile isolation, only non-sensitive notification data might be accessible between profiles.
🎯 Exploit Status
Exploitation requires a malicious app to be installed on the device. The confused deputy pattern makes exploitation straightforward once the app is present.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: December 2025 Android Security Patch or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-12-01
Restart Required: Yes
Instructions:
1. Check for system updates in Settings > System > System update. 2. Install December 2025 security patch or later. 3. Reboot device after installation.
🔧 Temporary Workarounds
Disable multiple user profiles
androidRemove additional user profiles to eliminate the attack surface
Settings > System > Multiple users > Remove user profiles
Restrict app installations
androidOnly allow installation from trusted sources like Google Play Protect verified apps
Settings > Security > Install unknown apps > Disable for all apps
🧯 If You Can't Patch
- Implement Mobile Device Management (MDM) with strict app whitelisting to prevent malicious app installation
- Disable work profiles or separate user profiles on corporate devices until patched
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version > Security patch level. If before December 2025, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows December 2025 or later after applying update.📡 Detection & Monitoring
Log Indicators:
- Unusual cross-profile intent broadcasts in logcat
- Multiple failed permission requests from apps to access cross-profile data
Network Indicators:
- Suspicious data exfiltration from apps with notification permissions
SIEM Query:
source="android_logs" AND "NotificationStation" AND ("cross-profile" OR "confused deputy")