CVE-2024-31317 Overview
CVE-2024-31317 is a local privilege escalation vulnerability in the Android operating system. The flaw resides in multiple functions of ZygoteProcess.java, where unsafe deserialization allows an attacker holding the WRITE_SECURE_SETTINGS permission to execute arbitrary code in the context of any application on the device. Google addressed the issue in the June 2024 Android Security Bulletin. Affected releases include Android 12, 12L, 13, and 14. Exploitation requires only low user-level privileges and no user interaction, making it a practical post-compromise primitive for malicious apps or ADB-connected attackers seeking to escalate across application sandboxes.
Critical Impact
An attacker with WRITE_SECURE_SETTINGS can run code as any installed application, bypassing Android's per-app sandbox and accessing sensitive user data, credentials, and protected APIs.
Affected Products
- Google Android 12.0 and 12.1 (12L)
- Google Android 13.0
- Google Android 14.0
Discovery Timeline
- 2024-06-01 - Google publishes fix in the Android Security Bulletin
- 2024-07-09 - CVE-2024-31317 published to NVD
- 2024-12-17 - Last updated in NVD database
Technical Details for CVE-2024-31317
Vulnerability Analysis
The Zygote process is the parent of every Android application process. When a new app launches, the system server instructs Zygote to fork a child process with a specific UID, package name, and runtime arguments. The communication channel between the system and Zygote accepts command arguments that are parsed and applied before the child process executes app code.
CVE-2024-31317 stems from unsafe handling of attacker-controlled data flowing into this argument parsing path inside ZygoteProcess.java. An actor with WRITE_SECURE_SETTINGS can write a crafted value into a global setting that Zygote later reads and deserializes. Because the deserialization path treats the input as trusted command arguments, the attacker can influence which process Zygote spawns and under which identity, allowing code execution in the security context of arbitrary installed applications. The weakness is categorized under [CWE-502: Deserialization of Untrusted Data].
Root Cause
The root cause is the absence of validation and integrity checks on serialized command arguments consumed by the Zygote spawn path. Settings writable through WRITE_SECURE_SETTINGS were implicitly trusted, even though that permission can be granted to non-privileged contexts such as ADB shell or specific OEM applications.
Attack Vector
An attacker first obtains the WRITE_SECURE_SETTINGS permission, typically via ADB (adb shell pm grant) or by compromising a preinstalled app that holds it. The attacker writes crafted arguments into the targeted global setting. When Zygote next reads this value, the unsafe deserialization causes a forked child to run under a chosen app's UID, granting access to that app's data and permissions without exploiting any memory corruption primitive.
No verified public proof-of-concept code is available. See the Android Framework Commit for the patch implementation details.
Detection Methods for CVE-2024-31317
Indicators of Compromise
- Unexpected modification of Android global settings, particularly settings consumed by the Zygote spawn path, via settings put global or the Settings.Global API.
- Granting of WRITE_SECURE_SETTINGS to non-system, non-shell applications.
- App processes running under a UID that does not match their package signing identity.
Detection Strategies
- Inventory installed applications holding android.permission.WRITE_SECURE_SETTINGS and alert on any third-party package that requests or receives it.
- Monitor ADB activation on managed devices through MDM telemetry, since ADB is the primary legitimate avenue to grant WRITE_SECURE_SETTINGS.
- Correlate process spawn telemetry from mobile threat defense agents with package signing data to detect identity mismatches indicative of Zygote abuse.
Monitoring Recommendations
- Enforce MDM policies that restrict ADB and developer options on production fleets and alert on policy violations.
- Track Android patch levels across the fleet and flag devices below the June 2024 security patch level (2024-06-01).
- Ingest mobile telemetry into a centralized data lake to retain process, permission, and settings change events for retrospective hunting.
How to Mitigate CVE-2024-31317
Immediate Actions Required
- Apply the June 2024 Android security patch level (2024-06-01) or later on all Android 12, 12L, 13, and 14 devices.
- Audit and revoke WRITE_SECURE_SETTINGS from any third-party applications that hold it.
- Disable USB debugging and ADB on devices that do not require developer access, and enforce this through MDM.
Patch Information
Google remediated the issue in AOSP commit e25a0e394bbfd6143a557e1019bb7ad992d11985 and shipped fixes in the Android Security Bulletin June 2024. Device manufacturers integrate the fix into their respective vendor builds; confirm the security patch level reported under Settings → About phone is 2024-06-01 or later.
Workarounds
- Restrict installation of side-loaded applications and enforce Google Play Protect on managed devices to reduce the likelihood of an attacker-controlled app obtaining WRITE_SECURE_SETTINGS via OEM-granted channels.
- Enforce MDM configuration profiles that disable developer options and USB debugging until devices receive the June 2024 patch.
- Block unmanaged ADB connections at the USB or network policy layer in sensitive environments.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
