In this demo, the PoC app obtains the CALL_PHONE permission (dangerous system permission) without user consent once being installed.

The adversary exploits twin permissions with the same name but different protection levels (dangerous v.s. signature|development) and groups (PHONE v.s. not set).

Responsible Disclosure: Confirmed by Google. Fixed.

Android-ID-209607944: High Severity.

CVE ID: CVE-2021-39695

In this demo, the PoC app obtains the CALL_PHONE (dangerous system permission) permission without user consent after being updated.

The adversary exploits twin permissions with the same name but different groups (STORAGE v.s. PHONE).

Responsible Disclosure: Confirmed by Google. Fixed.

Android-ID-213323615: High Severity.

CVE ID: CVE-2022-20392

In this demo, the permission registration information remains in the system even if the original permission declaration is removed through updating the PoC app. Further, the PoC app still keeps the original permission granting status, and the victim app cannot be installed.

The adversary exploits the permission tree and the permission with the same name (this permission tree and this permission are twins).

Responsible Disclosure: Confirmed by Google.

Android-ID-227340775: Low Severity.

In this demo, the PoC app obtains the CALL_PHONE permission (dangerous system permission) without user consent.

The adversary exploits the permission tree and the permission with the same name (this permission tree and this permission are twins).

Responsible Disclosure: Confirmed by Google.

Android-ID-225880325: Moderate  Severity.

CVE ID: CVE-2023-20971

Google Comment: "We applied a -1 modifier due to this vulnerability requiring non-trivial and unlikely user actions."