CVE-2023-35674

What is the Android Framework?

The Android Framework is the application-level layer of the Android operating system that manages the application lifecycle, permissions, inter-process communication (IPC), and system services. It includes the Activity Manager, Package Manager, Window Manager, and other core services that all Android apps interact with. Privilege escalation vulnerabilities in the Framework allow a malicious application with standard user-level permissions to gain elevated system-level privileges, bypassing Android's app sandbox and permission model.

Overview

CVE-2023-35674 is a privilege escalation vulnerability in the Android Framework that allows a local attacker with low-level access to escalate privileges without user interaction. Google disclosed and patched it in the September 2023 Android Security Bulletin, acknowledging that there were indications it was being exploited in limited, targeted attacks in the wild. CISA added it to the KEV catalog two days after the bulletin's release.

Affected Versions

Android devices must apply the 2023-09-01 security patch level (or the 2023-09-05 patch level for the complete bulletin) to be protected.

Technical Details

Google's Android Security Bulletin describes CVE-2023-35674 as enabling "local escalation of privilege" with "no additional execution privileges needed" — the attacker requires only low-level code execution on the device (e.g., a malicious installed app). The vulnerability is in the Android Framework layer, which handles the IPC and service infrastructure that all apps use. The specific class of bug is not fully detailed in public documentation, but the privilege escalation from app-level access to elevated system permissions indicates a flaw in Framework's access control or IPC handling that allows a malicious caller to invoke privileged operations.

In practical exploitation scenarios, this vulnerability would typically appear as the second stage of a two-step chain:

1. Initial access: A malicious app is installed on the device (via social engineering, third-party app store, or a remote code execution vulnerability in a browser or other app).
2. Privilege escalation (CVE-2023-35674): The installed app exploits the Framework vulnerability to escape its sandbox and gain elevated privileges, enabling the installation of persistent payloads, access to sensitive system data, or disabling of security controls.

The CVSS profile (AV:L/AC:L/PR:L/UI:N) reflects this: local code execution is needed first, but once achieved, exploitation is straightforward with no further user interaction required.

Discovery

Google credited an anonymous reporter. The confirmed in-the-wild exploitation at the time of the bulletin indicates the vulnerability was discovered and weaponized by threat actors before Google's disclosure — consistent with limited targeted attacks using the bug as a privilege escalation step.

Exploitation Context

Google noted "limited, targeted exploitation" in the September 2023 bulletin. This phrasing is consistent with use by commercial surveillance vendors or state-sponsored actors targeting specific high-value individuals rather than mass opportunistic exploitation. Android Framework zero-days appear less frequently than iOS zero-days in public disclosures but are equally valuable for targeted surveillance: Android's significant global market share, particularly in regions outside North America and Western Europe, makes it a priority target for many state-level threat actors.

CISA added CVE-2023-35674 to KEV on September 13, 2023, signifying confirmed active exploitation.

Remediation

1. Apply the September 2023 Android Security Bulletin — install the 2023-09-01 or 2023-09-05 patch level via your device's system update mechanism.
2. For Pixel devices: OTA updates were available from September 11, 2023 — go to Settings → System → System Update.
3. For non-Pixel Android devices: OEMs (Samsung, OnePlus, Motorola, etc.) receive patches from Google and typically ship them within 1–3 months; check your device manufacturer's security bulletin.
4. Enable automatic system updates on all Android devices to reduce the window between patch release and application.
5. Avoid sideloading apps and restrict installation to Google Play — the primary delivery mechanism for the initial access stage is malicious app installation from untrusted sources.
6. For enterprise Android fleets: use Android Enterprise / MDM to enforce minimum patch level requirements and quarantine or block devices that fall below the required level.
7. If compromise is suspected — particularly for individuals at elevated risk of targeted surveillance — a factory reset and restore from a verified clean backup is the safest remediation path.