The “Zygote Injection” vulnerability affects devices running Android 11 or older and enables attackers to escalate privileges from a shell user to the system user, potentially compromising entire devices. While unprivileged apps cannot alter this setting, security researchers demonstrated that when a malicious actor modifies the hidden_api_blacklist_exemptions setting with injected newlines, they can append arbitrary Zygote commands that the system treats as legitimate commands for process creation. While this vulnerability primarily affects older Android versions, it highlights the importance of proper security boundaries in operating system design. A critical Android vulnerability identified as CVE-2024-31317 has been discovered that allows attackers to execute arbitrary code with system privileges. When an Android device powers on, after the Linux kernel initializes, it launches essential Android services including the Zygote process, which runs with system privileges. The Android Zygote Injection vulnerability demonstrates how seemingly minor input validation issues can lead to system-wide security compromises. The vulnerability targets Android’s Zygote process, a crucial component in the operating system responsible for forking new applications and system processes. Security researchers at Infosec found that Android’s hidden_api_blacklist_exemptions global setting, which allows certain apps to bypass Android’s hidden API restrictions, can be manipulated to inject malicious commands. Users should be cautious as exploiting this vulnerability can cause device bootloops because the modified setting persists across reboots and directly affects how Zygote spawns processes. Android devices should be updated to the latest security patches to mitigate this serious vulnerability, especially since it affects all Android versions up to Android 11. The System Server component does not properly escape newline characters when passing commands to the Zygote process, creating a critical injection point. The vulnerability has been described by security researchers as possibly the most valuable userspace Android vulnerability in recent years. This occurs because System Server’s update() method is called whenever the hidden_api_blacklist_exemptions setting changes, and it passes this setting directly to Zygote without proper sanitization. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 11 Mar 2025 08:20:08 +0000