CVE-2023-35674 Overview
CVE-2023-35674 is a local privilege escalation vulnerability affecting Google Android devices. The flaw exists in the onCreate method of WindowState.java, where a logic error allows a malicious application to launch a background activity without requiring user interaction. This vulnerability enables an attacker to escalate privileges locally without needing additional execution privileges, posing a significant risk to Android device security.
Critical Impact
This vulnerability is actively exploited in the wild and has been added to CISA's Known Exploited Vulnerabilities (KEV) catalog. Attackers can leverage this flaw to escalate privileges and potentially gain unauthorized control over affected Android devices.
Affected Products
- Google Android 11.0
- Google Android 12.0
- Google Android 12.1
- Google Android 13.0
Discovery Timeline
- September 11, 2023 - CVE-2023-35674 published to NVD
- October 23, 2025 - Last updated in NVD database
Technical Details for CVE-2023-35674
Vulnerability Analysis
The vulnerability resides in the Android framework's window management system, specifically within the WindowState.java file. The flaw is categorized under CWE-269 (Improper Privilege Management), indicating a fundamental issue with how the system handles privilege boundaries during window state creation.
The onCreate method contains a logic error that fails to properly validate the context in which an activity is being launched. Under normal circumstances, Android restricts background activity launches to prevent malicious applications from hijacking the user interface or performing actions without user awareness. However, this vulnerability circumvents those protections, allowing a malicious app to launch activities from the background without any user interaction.
This is particularly dangerous because it requires no special permissions beyond what a standard application might already possess (local access with low privileges). The attack can be executed entirely on-device without network connectivity, though the attacker must first have a malicious application installed on the target device.
Root Cause
The root cause of this vulnerability is a logic error in the code path of WindowState.java's onCreate method. The implementation fails to properly enforce background activity launch restrictions, allowing a malicious application to bypass security controls designed to prevent unauthorized UI manipulation and privilege escalation. This improper privilege management creates a pathway for local privilege escalation attacks.
Attack Vector
The attack requires local access to the Android device, typically through a malicious application installed by the user. Once installed, the malicious app can exploit this vulnerability without requiring any user interaction or additional execution privileges.
The exploitation flow involves:
- A malicious application is installed on the target Android device
- The application triggers the vulnerable code path in WindowState.java
- Due to the logic error, the app can launch a background activity without user interaction
- This background activity operates with escalated privileges, potentially allowing the attacker to perform unauthorized actions on the device
The vulnerability affects the confidentiality, integrity, and availability of the device, as successful exploitation can lead to complete local privilege escalation.
Detection Methods for CVE-2023-35674
Indicators of Compromise
- Unexpected background activity launches from installed applications
- Applications requesting or utilizing elevated privileges without corresponding user authorization
- Unusual window state transitions in system logs related to WindowState.java
- Anomalous process behavior from apps that should not have elevated access
Detection Strategies
- Monitor Android system logs for suspicious activity launches from background processes
- Implement mobile device management (MDM) solutions that can detect anomalous application behavior
- Review installed applications for known malicious packages associated with this exploitation
- Enable Google Play Protect and ensure it remains active to detect known malicious applications
Monitoring Recommendations
- Deploy SentinelOne Singularity Mobile to monitor for privilege escalation attempts on Android devices
- Configure alerting for unusual inter-process communication patterns indicative of exploitation
- Regularly audit application permissions and behavior across managed device fleets
- Monitor CISA KEV catalog updates and threat intelligence feeds for related indicators
How to Mitigate CVE-2023-35674
Immediate Actions Required
- Apply the September 2023 Android security patch immediately on all affected devices
- Review and remove any suspicious or unnecessary applications from affected devices
- Enable automatic security updates to ensure timely patch deployment
- Implement application allowlisting on enterprise-managed devices to restrict unauthorized app installations
Patch Information
Google has released a security patch addressing this vulnerability in the Android September 2023 Security Bulletin. The specific code fix can be reviewed in the Android Source Code Reference (commit hash 7428962d3b064ce1122809d87af65099d1129c9e).
Organizations should prioritize deploying this patch given the vulnerability's presence on the CISA Known Exploited Vulnerabilities Catalog, which indicates active exploitation in the wild.
Workarounds
- Restrict app installation to trusted sources only (Google Play Store with Play Protect enabled)
- Implement Mobile Threat Defense (MTD) solutions to detect and block exploitation attempts
- Consider temporary network isolation of high-risk unpatched devices until updates can be applied
- Educate users about the risks of sideloading applications from unknown sources
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
