CVE-2025-0087 Overview
CVE-2025-0087 is a local privilege escalation vulnerability in Google Android's UninstallerActivity.java component. The vulnerability exists in the onCreate method where a missing permission check allows an attacker to uninstall another user's application without proper authorization. This flaw enables local privilege escalation without requiring any additional execution privileges or user interaction.
Critical Impact
Attackers can exploit this vulnerability to uninstall applications belonging to other users on multi-user Android devices, potentially leading to denial of service, disruption of critical applications, or enabling further attack chains by removing security software.
Affected Products
- Google Android 13.0
- Google Android 14.0
- Google Android 15.0
Discovery Timeline
- 2025-05-01 - Google publishes security patch in Android Security Bulletin
- 2025-09-04 - CVE-2025-0087 published to NVD
- 2025-09-05 - Last updated in NVD database
Technical Details for CVE-2025-0087
Vulnerability Analysis
This vulnerability represents a missing permission check vulnerability (CWE-689) in Android's package management framework. The UninstallerActivity.java component is responsible for handling application uninstallation requests, but fails to properly verify that the requesting entity has appropriate permissions to uninstall applications for the target user context.
In Android's multi-user architecture, each user profile maintains separate application installations and data. The permission model is designed to prevent cross-user operations without explicit authorization. However, this implementation oversight allows a malicious application or process running in one user context to trigger uninstallation of applications belonging to a different user profile.
The attack is local in nature, requiring the attacker to have code execution on the device, but does not require elevated privileges to initiate. No user interaction is needed to exploit this vulnerability, making it particularly concerning for automated attack scenarios.
Root Cause
The root cause is a missing permission validation in the onCreate method of UninstallerActivity.java. When processing an uninstallation intent, the activity fails to verify whether the calling package has the necessary permissions to perform cross-user uninstallation operations. This allows any application to craft an intent that targets applications in other user profiles.
Attack Vector
The attack vector is local, meaning an attacker must have the ability to execute code on the target Android device. An attacker can exploit this vulnerability by:
- Creating a malicious application that constructs an intent targeting UninstallerActivity
- Including the package name of the target application to be uninstalled
- Specifying a different user ID to target applications in another user profile
- Launching the intent, which bypasses the permission check and initiates uninstallation
Since no user interaction is required, a malicious application running in the background could silently uninstall critical applications from other user profiles, potentially including security applications, work profile apps, or parental control software.
The vulnerability was addressed in the commit referenced in the Android Source Code Commit, which adds the missing permission verification logic.
Detection Methods for CVE-2025-0087
Indicators of Compromise
- Unexpected application uninstallations on the device, particularly in work profiles or secondary user accounts
- Applications disappearing from other user profiles without user action
- Suspicious intent broadcasts targeting UninstallerActivity from unauthorized applications
- Logcat entries showing uninstallation requests for packages in different user contexts
Detection Strategies
- Monitor Android system logs for uninstallation events that occur without corresponding user interaction
- Implement application inventory monitoring to detect unexpected removals across user profiles
- Deploy mobile threat defense solutions that can detect anomalous package management behavior
- Enable audit logging for package management operations in enterprise MDM solutions
Monitoring Recommendations
- Configure SentinelOne Mobile Threat Defense to monitor for suspicious package management activities
- Enable detailed logging on managed Android devices to capture uninstallation events
- Implement alerts for critical application removals in work profiles or managed user accounts
- Regularly audit installed applications across all user profiles on multi-user devices
How to Mitigate CVE-2025-0087
Immediate Actions Required
- Apply the May 2025 Android security patch immediately to all affected devices
- Review device logs for any signs of unauthorized application uninstallation
- Ensure all managed devices are enrolled in an MDM solution with security patch enforcement
- Consider restricting installation of untrusted applications until patching is complete
Patch Information
Google has released a security patch addressing this vulnerability in the Android Security Bulletin May 2025. The fix adds proper permission validation to the onCreate method of UninstallerActivity.java, ensuring that cross-user uninstallation requests are properly authorized.
Device manufacturers should incorporate the security patch level 2025-05-01 or later into their firmware updates. Enterprise administrators should verify that managed devices have received this patch through their MDM console.
Workarounds
- Limit installation of applications from unknown sources to reduce the attack surface
- Use Android's work profile feature with enterprise mobility management to monitor application integrity
- Deploy mobile threat defense solutions to detect and prevent exploitation attempts
- For enterprise environments, consider restricting multi-user functionality on sensitive devices until patches are applied
- Enable application verification through Google Play Protect for additional runtime protection
# Verify Android security patch level on device
adb shell getprop ro.build.version.security_patch
# Check for patch level 2025-05-01 or later
# Expected output: 2025-05-01 (or newer)
# List installed packages for current user to baseline
adb shell pm list packages --user 0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
