←back to thread

Google confirms Android attacks; no fix for most Samsung users

(www.forbes.com)
208 points mohi-kalantari | 8 comments | 08 Dec 25 16:32 UTC | HN request time: 0.207s | source | bottom
1. RadiozRadioz ◴[08 Dec 25 19:23 UTC] No.46196472[source]
I'm really struggling to find any concrete information about what this vulnerability actually is. Does anyone know where to look for a good summary?
replies(3): >>46196522 #>>46196621 #>>46197224 #
2. jfindper ◴[08 Dec 25 19:37 UTC] No.46196621[source]
>[...] there is a possible way to launch activities from the background due to a permissions bypass.

https://www.cve.org/CVERecord?id=CVE-2025-48572

https://android.googlesource.com/platform/frameworks/base/+/...

https://android.googlesource.com/platform/frameworks/base/+/...

>"In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed."

https://www.cve.org/CVERecord?id=CVE-2025-48633

https://android.googlesource.com/platform/frameworks/base/+/...

3. ActorNightly ◴[08 Dec 25 20:29 UTC] No.46197224[source]
Search CVE numbers.

https://www.cve.org/CVERecord?id=CVE-2025-48633

Basically, just like most things these days, its all just local privilege escalation. This means that you have to install/run an app that has these exploits built in.

Soif you usage profile doesn't include downloading apps from untrusted sources, you don't need to worry.

replies(3): >>46197427 #>>46197784 #>>46200663 #
4. skeaker ◴[08 Dec 25 20:45 UTC] No.46197427[source]
In other words, continue as normal: Don't install random crap you don't trust. That this is even newsworthy is kind of strange.
5. rs186 ◴[08 Dec 25 21:19 UTC] No.46197784[source]
What if an existing app gets an update that exploits the vulnerability?

For sure that's not going to happen to an app released by a major company, but there are lots of less known app created by many different developers.

replies(1): >>46204713 #
6. orbital-decay ◴[09 Dec 25 02:43 UTC] No.46200663[source]
In other words, if you ever need to install anything on your device, you do need to worry. What even could be trusted, a random app from Play Store?
replies(1): >>46210051 #
7. ndriscoll ◴[09 Dec 25 13:28 UTC] No.46204713{3}[source]
Turn off app updates. If it's working now, why do you need to update it? Does the update add something specific you want?
8. lelanthran ◴[09 Dec 25 20:16 UTC] No.46210051{3}[source]
> In other words, if you ever need to install anything on your device, you do need to worry.

No, its "If you ever need to install some random app from the play, you do need to worry"

I installed the Teams app and Torque Pro today. I am not worried. I've also got the Sherlock games (purchased way back when) that I have yet to install on my new phone.

Installing that app also will not worry me. These apps are trusted because of the authors, not because of the Play store.

Worry is not binary, it's a probability, and you are at high risk if you're installing every rando's app on your phone and low risk if you are not.