Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2025-0087

CVE-2025-0087: Google Android Privilege Escalation Flaw

CVE-2025-0087 is a privilege escalation vulnerability in Google Android that allows attackers to uninstall other users' apps without proper permissions. This article covers technical details, affected versions, and mitigations.

Updated:

CVE-2025-0087 Overview

CVE-2025-0087 is a local privilege escalation vulnerability in the Android operating system. The flaw resides in the onCreate method of UninstallerActivity.java, which fails to enforce a required permission check before processing uninstall requests. As a result, a local application can uninstall an app belonging to a different user on the device. The issue affects Android versions 13, 14, and 15, and was addressed in the May 2025 Android Security Bulletin. Exploitation requires no user interaction and no additional execution privileges, making it accessible to any local app on a multi-user device.

Critical Impact

A local attacker can remove applications installed under other user profiles on the same device, breaching the isolation boundary between Android user accounts and enabling cross-user tampering.

Affected Products

  • Google Android 13
  • Google Android 14
  • Google Android 15

Discovery Timeline

  • 2025-09-04 - CVE-2025-0087 published to the National Vulnerability Database
  • 2025-09-05 - Last updated in NVD database
  • May 2025 - Fix shipped in the Android Security Bulletin May 2025

Technical Details for CVE-2025-0087

Vulnerability Analysis

The defect is classified under [CWE-689] (Permission Race Condition During Resource Copy) and manifests as a missing authorization check in the Android package installer's uninstall flow. When UninstallerActivity receives an uninstall intent, the onCreate handler proceeds without verifying that the calling user is authorized to remove an application installed under a different user profile.

Android relies on per-user isolation to keep applications and data separated across multiple user accounts on the same device. By skipping the cross-user permission check, the activity allows one user context to take destructive action against another. The result is local escalation of privilege without any additional execution rights and without prompting the target user.

The exploitation surface is local because the attacker must already have code execution on the device. However, no special capabilities, signature-level permissions, or user prompts are required to trigger the uninstall.

Root Cause

The root cause is a missing permission check in onCreate of UninstallerActivity.java within the Android framework. The activity should validate that the caller holds the appropriate cross-user permissions, such as INTERACT_ACROSS_USERS_FULL, before honoring an uninstall request that targets another user's package. The Android source patch in commit 4c269d7b0ec71951f773844b2a325e556f982a9c adds the missing validation.

Attack Vector

The attack vector is local. A malicious application installed under one user account on a multi-user Android device can craft an intent that invokes UninstallerActivity against a package belonging to another user. Because the activity does not validate the caller's cross-user authority, the framework processes the uninstall, removing the targeted app from the other user's profile. No user interaction is needed on either profile, and no additional permissions must be granted to the malicious app beyond standard install rights.

The vulnerability does not yield code execution or data disclosure on its own. Its primary impact is integrity and availability degradation: the attacker can silently remove security tooling, productivity apps, or device-management agents from other users.

Detection Methods for CVE-2025-0087

Indicators of Compromise

  • Unexpected PACKAGE_REMOVED broadcasts on a user profile that did not initiate the removal.
  • Audit log entries showing UninstallerActivity invocations where the calling UID's user does not match the target package's user.
  • Sudden disappearance of managed or enterprise apps from secondary user profiles without administrator action.

Detection Strategies

  • Monitor Android device logs for package uninstall events and correlate the initiating UID with the affected user ID to identify cross-user removals.
  • Use mobile device management (MDM) telemetry to flag deviations from the expected app inventory on each user profile.
  • Inspect installed applications for unsigned or sideloaded packages that request the ability to launch activities in the com.android.packageinstaller namespace.

Monitoring Recommendations

  • Enable detailed logging on managed Android fleets and forward package lifecycle events to a centralized analytics platform for cross-user anomaly detection.
  • Alert when applications protected by enterprise policy are removed outside of approved management workflows.
  • Track Android patch level reporting through MDM to confirm devices have received the May 2025 security patch level (2025-05-01).

How to Mitigate CVE-2025-0087

Immediate Actions Required

  • Apply the May 2025 Android security patch level (2025-05-01) or later to all affected Android 13, 14, and 15 devices.
  • Enforce a minimum patch level policy through MDM so non-compliant devices lose access to corporate resources until updated.
  • Audit multi-user Android deployments and remove untrusted applications that have access to non-primary user profiles.

Patch Information

Google released the fix as part of the Android Security Bulletin May 2025. The framework change is tracked in the AOSP commit 4c269d7b0ec71951f773844b2a325e556f982a9c, which adds the missing permission check to UninstallerActivity.onCreate. Device manufacturers integrate the patch into their May 2025 or later monthly security releases.

Workarounds

  • Limit use of secondary user profiles and guest accounts on devices that cannot yet receive the May 2025 patch.
  • Restrict installation of untrusted apps by disabling sideloading and enforcing managed Google Play as the only install source.
  • Use enterprise mobility management policies to re-deploy critical applications automatically if they are removed.
bash
# Verify the Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for patched devices: 2025-05-01 or later

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne