CVE-2022-47029

Vulnerability

Action Launcher v50.5 (com.actionlauncher.playstore) exposes a content provider at content://com.actionlauncher.playstore.settings/favorites that stores desktop icon information, including the intent string used to launch the target app's MainActivity. An unauthorized app can modify this database, specifically the intent field, to change which app is launched when a user taps an icon. The affected version is 50.5 [1].

Exploitation

An attacker installs a malicious app on the same device. No special permissions beyond normal Android app permissions are required because the content provider is exported. The attacker uses ContentResolver.update() to modify the intent column of a favorite entry, replacing the legitimate intent with one pointing to a malicious app. The proof-of-concept demonstrates setting the intent to launch a fake app with the same icon name (e.g., "Camera") and specifying the attacker's package and component. The attacker can also change the icon name, picture, and screen coordinates [1].

Impact

Successful exploitation allows the attacker to perform a UI spoofing attack. When the user taps the icon (e.g., Google Camera), the malicious app launches instead, potentially stealing sensitive information (e.g., camera input, credentials) or performing other malicious actions. The attacker gains the ability to replace any app icon on the launcher with a fake one, leading to privilege escalation in terms of user trust and data access [1].

Mitigation

As of the publication date (2023-05-30), the vendor (Action Launcher) has not released a patch. Users should avoid installing untrusted apps and monitor for updates. The vulnerability is not listed in CISA KEV. No official workaround is available beyond restricting access to the content provider, which requires modifying the app's manifest [1].