In SmsDefaultDialog.onStart of SmsDefaultDialog.java, there is a possible escalation of privilege due to an overlay attack. This could lead to local escalation of privilege, granting privileges to a local app without the users informed consent, with no additional privileges needed. User interaction is needed for exploitation. Product: Android Versions: Android-7.0 Android-7.1.1 Android-7.1.2 Android-8.0 Android-8.1 Android-9 Android ID: A-120484087
The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Android | 7.0 (including) | 7.0 (including) | |
| Android | 7.1.1 (including) | 7.1.1 (including) | |
| Android | 7.1.2 (including) | 7.1.2 (including) | |
| Android | 8.0 (including) | 8.0 (including) | |
| Android | 8.1 (including) | 8.1 (including) | |
| Android | 9.0 (including) | 9.0 (including) |
Developers often choose default values that leave the product as open and easy to use as possible out-of-the-box, under the assumption that the administrator can (or should) change the default value. However, this ease-of-use comes at a cost when the default is insecure and the administrator does not change it.