CVE-2023-35674 Overview
CVE-2023-35674 is a local privilege escalation vulnerability in the Android operating system. The flaw resides in the onCreate method of WindowState.java within the Android framework. A logic error in the code allows a malicious local application to launch a background activity without proper authorization. Exploitation requires no user interaction and no additional execution privileges beyond those already granted to the installed application. Google addressed the issue in the Android Security Bulletin for September 2023. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-35674 to the Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild.
Critical Impact
A local attacker with a malicious application installed can escalate privileges on Android 11, 12, 12.1, and 13 devices without user interaction.
Affected Products
- Google Android 11.0
- Google Android 12.0 and 12.1
- Google Android 13.0
Discovery Timeline
- 2023-09-01 - Google publishes fix in Android Security Bulletin September 2023
- 2023-09-11 - CVE-2023-35674 published to NVD
- 2025-10-23 - Last updated in NVD database
Technical Details for CVE-2023-35674
Vulnerability Analysis
The vulnerability is classified under [CWE-269] Improper Privilege Management. It exists in the Android framework component responsible for window management. Specifically, the onCreate method of WindowState.java contains a logic error that fails to correctly enforce restrictions on background activity launches. Android imposes background activity start (BAL) restrictions to prevent applications from displaying activities while not in the foreground. These restrictions exist to block tapjacking, overlay attacks, and unauthorized UI manipulation. The flawed logic in WindowState.java provides a path around these checks, enabling a local application to start activities it should not be permitted to launch.
Root Cause
The root cause is an incorrect conditional check in window state initialization. The code path fails to validate caller permissions before permitting activity creation in the background context. As a result, the privilege boundary between standard applications and the system window manager is not enforced consistently.
Attack Vector
The attack vector is local. An attacker must convince a victim to install a malicious application or compromise an existing application on the device. Once running with standard user-level privileges, the application invokes the affected code path to launch a background activity. The launched activity can then perform actions normally restricted, such as overlaying content over privileged applications or hijacking user input. The vulnerability does not require user interaction at the time of exploitation. Public proof-of-concept code is not available, but CISA KEV listing indicates exploitation has occurred. Refer to the Android Source Code Update for the framework patch details.
Detection Methods for CVE-2023-35674
Indicators of Compromise
- Unexpected activity launches from applications that are not in the foreground
- Applications requesting SYSTEM_ALERT_WINDOW or related window-management permissions outside their declared functionality
- Anomalous WindowManager calls visible in logcat traces during forensic review
Detection Strategies
- Monitor mobile device management (MDM) telemetry for devices running Android 11, 12, 12.1, or 13 without the September 2023 security patch level
- Review installed application inventories for sideloaded or non-Play-Store APKs targeting affected Android versions
- Inspect application behavior for background activity starts that bypass standard BAL restrictions
Monitoring Recommendations
- Enforce minimum Android security patch level policies through enterprise mobility management platforms
- Capture and correlate Android system logs in a centralized logging or SIEM platform for retrospective analysis
- Alert on devices that fail compliance checks for the September 2023 or later security patch level
How to Mitigate CVE-2023-35674
Immediate Actions Required
- Apply the September 2023 Android security patch level or later to all managed Android devices
- Audit enterprise device fleets for Android 11, 12, 12.1, and 13 endpoints lacking the patch and prioritize remediation
- Remove untrusted or sideloaded applications from devices that cannot be patched immediately
Patch Information
Google released the fix in the Android Security Bulletin September 2023. Devices must be updated to security patch level 2023-09-01 or later. Original equipment manufacturers (OEMs) distribute the patch through their own update channels, so timing varies by device vendor. The framework-level change is documented in the upstream commit referenced in the Android Source Code Update. Because CISA confirmed exploitation, U.S. federal agencies are required to patch under CISA Known Exploited Vulnerability CVE-2023-35674.
Workarounds
- Restrict installation sources to Google Play and trusted enterprise app stores via MDM policy
- Block installation of applications from unknown sources on managed devices
- Retire or isolate devices that no longer receive vendor security updates for Android 11 through 13
# Verify Android security patch level via ADB
adb shell getprop ro.build.version.security_patch
# Expected output: 2023-09-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
