In multiple locations, there is a possible way to overlay the installation confirmation dialog due to a tapjacking/overlay attack. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "106852290312809516895377641684996428641", "100619307944333955550393411756035339383", "253671319467356316573877843325206305148", "194305148853903854519207401895473405000", "164618263518515534571435835108085346840", "117242953883748989660592205141705532966", "322276312425168391457092955602260976032", "82791985082628779718638862041003667333" ] }, "id": "ASB-A-370958259-15063416", "source": "https://android.googlesource.com/platform/frameworks/base/+/b1612955cb7fb2f69f1e04d437bb7fabd411ff7c", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/PackageInstaller/src/com/android/packageinstaller/UnarchiveActivity.java" }, "signature_type": "Line" }, { "digest": { "length": 1595.0, "function_hash": "237969592052963635730934805885314022583" }, "id": "ASB-A-370958259-86d7bb7a", "source": "https://android.googlesource.com/platform/frameworks/base/+/b1612955cb7fb2f69f1e04d437bb7fabd411ff7c", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/PackageInstaller/src/com/android/packageinstaller/UnarchiveActivity.java", "function": "onCreate" }, "signature_type": "Function" }, { "digest": { "length": 537.0, "function_hash": "323308802861785688109354783023765293940" }, "id": "ASB-A-370958259-9c9d11ac", "source": "https://android.googlesource.com/platform/frameworks/base/+/b1612955cb7fb2f69f1e04d437bb7fabd411ff7c", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/PackageInstaller/src/com/android/packageinstaller/UnarchiveFragment.java", "function": "onCreateDialog" }, "signature_type": "Function" }, { "digest": { "threshold": 0.9, "line_hashes": [ "34647006730598393968881487632720217521", "220837909846715867234019510086613959071", "112944296168326975797965234027075705758", "268955711874604927044415729134364870134", "104335380940393650208967793504429997267", "227051776264705071281256115035437909817", "74088909021720321535169830157439491633", "188813712324366316321383523893347649282", "155842730872581119733874838446406534715", "200236479055803650491839492661848229957" ] }, "id": "ASB-A-370958259-f65c7aee", "source": "https://android.googlesource.com/platform/frameworks/base/+/b1612955cb7fb2f69f1e04d437bb7fabd411ff7c", "deprecated": false, "signature_version": "v1", "target": { "file": "packages/PackageInstaller/src/com/android/packageinstaller/UnarchiveFragment.java" }, "signature_type": "Line" } ], "fixes": [ "https://android.googlesource.com/platform/frameworks/base/+/b1612955cb7fb2f69f1e04d437bb7fabd411ff7c" ], "spl": "2025-03-01", "severity": "High", "types": [ "EoP" ] }