## https://sploitus.com/exploit?id=73B7D300-93D1-5809-B9EC-8E581A05C970
PoC for CVE-2024-23700, allowing silently obtain permissions to read/write contacts, SMS, calendar, call log and voicemail, make outgoing calls or answer incoming calls, manipulate call settings, access & control notifications sent by other apps, control nearby devices, access microphone to record audio, access device identifiers, and bypass background restrictions.
This is done through a privilege escalation vulnerability that enables a malicious app to establish companion device associations without user interaction.
Android Security Severity: Critical
This exploit is made to warn geek users about the potential risk of their "optimization". Background: Someone believed that removing "useless" system apps could improve their security by reduce attack surfaces; others disabled signature verification by some modules to allow more flexible usage such as installing unofficial apps. Some module developers enabled those dangerous feature by default.
Download prebuilt PoC app: https://github.com/canyie/CVE-2024-23700/releases
Demonstration screen recording of silently obtaining multiple dangerous permissions and reading device notifications: https://github.com/canyie/CVE-2024-23700/blob/main/screen-20260120-233400-1768923180588.mp4
If the provided PoC app fails to be installed on your device, this means the device is not vulnerable to this vulnerability.
Most devices should not be vulnerable unless:
- Watch devices running WearOS with security patch level earlier than 2024-05-01 ([bulletin](https://source.android.com/docs/security/bulletin/wear/2024/2024-05-01) and [patch](https://cs.android.com/android/_/android/platform/frameworks/base/+/2f870bdab227dcb5dcfc077fc13143a2554bcdbb))
- Devices with no `com.android.companiondevicemanager` preinstalled (Simplified ROM with "useless" components removed, or installed some so-called "optimizing" modules)
- Devices with broken signature verification implementation (e.g. Disabled by CorePatch)