Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-28615

CVE-2026-28615: Google Android Privilege Escalation Flaw

CVE-2026-28615 is a privilege escalation vulnerability in Google Android's Telecomm component that allows unauthorized phone calls via permissions bypass. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-28615 Overview

CVE-2026-28615 is a permissions bypass vulnerability in the Android Telecomm component. A local attacker can initiate unauthorized phone calls without holding the required telephony permissions. The flaw enables local privilege escalation without additional execution privileges and requires no user interaction.

The issue is tracked under CWE-862: Missing Authorization and affects Android 17.0. Google published the fix in the Android Security Bulletin #17.

Critical Impact

A malicious application installed on an affected device can place phone calls silently, enabling toll fraud, surveillance pivots, and bypass of platform consent controls.

Affected Products

  • Google Android 17.0
  • Devices shipping with the affected Telecomm framework component
  • OEM builds derived from the AOSP 17.0 baseline prior to the June 2026 patch level

Discovery Timeline

  • 2026-06-17 - CVE-2026-28615 published to NVD
  • 2026-06-18 - Last updated in NVD database

Technical Details for CVE-2026-28615

Vulnerability Analysis

The Android Telecomm subsystem brokers call placement requests between applications and the underlying telephony stack. Apps that wish to place calls must hold the CALL_PHONE runtime permission or route requests through a user-mediated dialer intent.

CVE-2026-28615 stems from a missing authorization check inside this brokerage path. The Telecomm component accepts a call-initiation request without verifying that the calling package holds the required permission. As a result, an unprivileged local app can place a phone call as if it had been granted telephony access.

The vulnerability is classified under [CWE-862: Missing Authorization]. The CVSS vector indicates impact to confidentiality, integrity, and availability of the device and to downstream subsequent systems, including telephony billing and call routing infrastructure.

Root Cause

The root cause is an absent permission check on an internal call-placement entry point in the Telecomm service. Authorization logic intended to gate the path either runs on a code branch that is not reached, or trusts caller-supplied data instead of validating it against the package manager and runtime permission state.

Attack Vector

Exploitation requires a malicious application installed on the target device. The application invokes the unprotected Telecomm entry point and supplies the destination number. The Telecomm service places the call without prompting the user and without enforcing the CALL_PHONE permission.

No user interaction is required after the malicious app has been installed. Because no manifest permission needs to be requested for the abusive path, the application footprint at install time can appear benign. No public proof-of-concept code is available at the time of publication.

Detection Methods for CVE-2026-28615

Indicators of Compromise

  • Outbound calls in the device call log that do not correspond to any user-driven dialer activity
  • Carrier records showing calls to premium-rate or unfamiliar international numbers from managed devices
  • Applications without declared android.permission.CALL_PHONE that nonetheless trigger telephony state transitions
  • Unexpected TelecomManager or ConnectionService activity originating from non-dialer packages

Detection Strategies

  • Monitor mobile device management (MDM) telemetry for Android builds at security patch levels prior to the June 2026 bulletin
  • Correlate carrier call detail records (CDRs) against expected user activity windows to surface silent calls
  • Inspect installed application inventories for packages that interact with telephony APIs without declaring telephony permissions
  • Review application install sources and flag sideloaded APKs on corporate devices

Monitoring Recommendations

  • Ingest Android device logs and MDM compliance events into a centralized analytics platform to flag unpatched fleets
  • Alert on anomalous outbound call volume per device, particularly outside business hours
  • Track Android security patch level (ro.build.version.security_patch) across the managed fleet and trigger remediation workflows when devices fall behind

How to Mitigate CVE-2026-28615

Immediate Actions Required

  • Apply the Android security patch level corresponding to Android Security Bulletin #17 on all affected devices
  • Enforce MDM policies that block enrollment or network access for devices below the patched security patch level
  • Restrict installation of applications from untrusted sources on corporate-managed Android 17.0 devices
  • Audit the installed application inventory for unknown or recently sideloaded packages

Patch Information

Google addressed CVE-2026-28615 in Android 17 through the fix referenced in the Android Security Bulletin #17. OEM downstream patches are delivered through device vendor update channels. Ensure both the AOSP security patch level and any vendor-specific patches are applied.

Workarounds

  • Use MDM to disable installation of apps from unknown sources and restrict app installs to vetted enterprise catalogs
  • Apply carrier-side restrictions on premium-rate and international dialing for managed device lines until patches are deployed
  • Remove untrusted applications and re-baseline high-risk devices to a known-good image
bash
# Verify the Android security patch level on a device via adb
adb shell getprop ro.build.version.security_patch

# Confirm the patch level is on or after the June 2026 Android Security Bulletin

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne