Notes

This report provides details for a vulnerability, CVE-2022-22292, discovered by Kryptowire that is present in various Samsung Android devices running Android versions 9, 10, 11, and 12. The vulnerability allows any local app on the device (including third-party apps with zero permissions) to provide arbitrary Intent objects that will be used by a pre-installed app (com.android.server.telecom) executing as the system user to start an activity app component (even those that are not exported) of the attacker’s choosing, affecting Android versions 10, 11, and 12.

The same vulnerability is present on Android 9, although it allows zero-permission third-party apps to provide arbitrary Intent objects that are sent to broadcast receiver app components by the same vulnerable pre-installed app executing as the system user (instead of being used to start arbitrary activity app components in more recent Android versions). This vulnerability allows a third-party app to provide arbitrary Intent objects that will be started by a pre-installed app executing as the system user with all its permissions, privileges, and capabilities. Start arbitrary activity app components as the system user vulnerability Affecting Samsung Android devices