Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability

Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability

Loading

With physical access to Android device with enabled ADB debugging running Android 12 or 13 before receiving March 2024 security patch, it is possible to access internal data of any user installed app by misusing CVE-2024-0044 vulnerability.

Figure 1. Vulnerability details

Internal data of apps contain sensitive information that app works with and are not meant to be shared with other apps. These data are stored either in XML files (shared preferences) or mainly in databases. If such data are not encrypted, then by exploiting this vulnerability, it is possible to exfiltrate them from device and access them.

Using my unpatched Android 13, I was able to dump from Google Messages and Phone by Google apps unencrypted SMS messages and contact list.

Figure 2. Readable contact name and SMS body exfiltrated from Google Messages app
Figure 3. Phone number and contact name exfiltrated from Phone by Google app

From third party apps, I extracted messages and contacts from WhatsApp app, as demonstrated in the video below.

This vulnerability can be exploited even by non rooted Android smartphone with ADB tools installed, see Figure 4. If you are interested, I have created a short video tutorial on how to install ADB and fastboot in Termux app without root.

Figure 4. Exploiting CVE-2024-0044 using Android smartphone

Details

This vulnerability was discovered and reported by Meta Red Team X. Further exploitation details and prove of concept were summarized and shared by Tinyhack.com.

Conclusion

This vulnerability can be exploit only against unpatched devices with enabled ADB debugging which means that this wouldn’t be very useful to threat actors. However, this exploit could be useful to Android forensic analyst.

5 thoughts on “Exfiltrate sensitive user data from apps on Android 12 and 13 using CVE-2024-0044 vulnerability

  1. Prince bhargav

    Nice sir 😀 thanks you so much ☺️

  2. N

    Is there a way to turn on ADB from a locked android phone?

    1. No. It is not possible to turn on ADB from a locked phone.

  3. mussa

    senhor. bom dia! como posso usar o cve-2024-0044-vulnerability no windows 10?

    1. This vulnerability affects only Android system version 12 and 13. It can’t be used to target Windows 10.

Leave a Reply

Your email address will not be published. Required fields are marked *