CVE-2025-0087

MEDIUM

Android - Local Privilege Escalation via UninstallerActivity Permission Bypass

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-0087. PoCs published by SpiralBL0CK.

AI-analyzed exploit summary This is a Frida-based exploit for CVE-2025-0087 targeting Android's Package Installer, combining local privilege escalation (LPE) techniques such as root shell attempts, tapjacking, and intent hijacking. The exploit hooks into the UninstallLaunch activity to manipulate user handles and escalate privileges.

Description

In onCreate of UninstallerActivity.java, there is a possible way to uninstall a different user's app due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Exploits (2)

nomisec WORKING POC 22 stars

by SpiralBL0CK · poc

https://github.com/SpiralBL0CK/CVE-2025-0087-

View Code ZIP pw:eip

This is a Frida-based exploit for CVE-2025-0087 targeting Android's Package Installer, combining local privilege escalation (LPE) techniques such as root shell attempts, tapjacking, and intent hijacking. The exploit hooks into the UninstallLaunch activity to manipulate user handles and escalate privileges.

Classification

Working Poc 90%

Attack Type

Lpe

Complexity

Complex

Reliability

Racy

Target: Android Package Installer (API 34)

No auth needed

Prerequisites: Frida installed on the target device · Access to the target Android device · API level 34 or lower

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC

by SpiralBL0CK · poc

https://github.com/SpiralBL0CK/CVE-2025-0087

View Code ZIP pw:eip

This PoC demonstrates a denial-of-service (DoS) vulnerability in the Android Package Installer by injecting an oversized label via Frida-based hooking of the `loadLabel` method, causing potential truncation or overflow issues.

Classification

Working Poc 90%

Attack Type

Dos

Complexity

Moderate

Reliability

Reliable

Target: Android Package Installer (com.android.packageinstaller)

No auth needed

Prerequisites: Frida framework · Android device with target package installed

MITRE ATT&CK

T1499 - Endpoint Denial of Service

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Core References

Product

https://android.googlesource.com/platform/frameworks/base/+/4c269d7b0ec71951f773844b2a325e556f982a9c

Vendor Advisory

https://source.android.com/security/bulletin/2025-05-01

Scores

CVSS v3 5.1

EPSS 0.0021

EPSS Percentile 11.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-689

Status published

Products (3)

google/android 13.0

google/android 14.0

google/android 15.0

Published Sep 04, 2025

Tracked Since Feb 18, 2026