Java lets apps intercept drag-and-drop (CVE-2025-48574)

Vendor-confirmed - CVE-2025-48574 is a high local privilege escalation in Android’s window management service that lets a malicious app silently intercept drag-and-drop events to steal sensitive data or perform unauthorized actions. Update devices to the latest Android security bulletin patch immediately.

Overview

A high-severity security vulnerability has been identified in the Android operating system’s window management service. The flaw allows a malicious application already installed on a device to intercept sensitive drag-and-drop events without requiring any special permissions or user interaction. This could enable local privilege escalation, granting the app greater control over the device than intended.

Vulnerability Details

The vulnerability exists within the validateAddingWindowLw function of the DisplayPolicy.java component, which is responsible for managing how application windows are displayed and layered on the screen. Due to a missing permission check in this function, a malicious app can create a window that improperly overlays the screen. This window can secretly capture drag-and-drop actions-such as moving files, text, or images between applications-that were intended for other, legitimate apps.

Potential Impact

The primary risk is local privilege escalation. An attacker could leverage this access to:

• Steal Sensitive Data: Intercept confidential information (like passwords, documents, or authentication tokens) as a user drags it between apps.
• Perform Unauthorized Actions: Manipulate drag-and-drop operations to execute actions in a target app with the victim’s permissions.
• Compromise Device Integrity: Use the gained foothold as a stepping stone for further attacks on the device.

Exploitation requires a malicious app to be installed, but no further user interaction is needed once it’s running, making it a potent and stealthy threat.

Remediation and Mitigation

For End Users and IT Administrators:

1. Apply Updates: The most critical action is to apply the latest Android security updates provided by your device manufacturer (OEM). This patch is included in the Android security bulletin for the relevant month. Verify that devices are running a patched version.
2. Source Apps Carefully: Only install applications from official, trusted sources like the Google Play Store to reduce the risk of installing malware that could exploit this flaw.
3. Review App Permissions: Regularly review installed applications and remove any that are unfamiliar or unnecessary.

For Developers: Ensure your applications do not rely on the security of drag-and-drop operations for transmitting highly sensitive data without additional encryption or confirmation steps, as this vulnerability demonstrates a weakness in the platform’s isolation guarantees for this mechanism.