Introduction
Attackers can silently record everything displayed on a user's Android device without consent, simply by installing a malicious app. This risk is not hypothetical: a critical flaw in Android's MediaProjection permission workflow allows bypassing the screen recording consent dialog, exposing sensitive data to unauthorized capture.
Technical Information
CVE-2025-32322 is a high-severity vulnerability (CVSS 7.8) in the Android Framework, specifically within the MediaProjectionPermissionActivity.java
component. The MediaProjection API, introduced in Android 5.0, is intended to allow apps to capture screen and audio content only after explicit user approval via a system dialog. This dialog is a key privacy safeguard, warning users when an app requests screen recording access.
In Android 13 and 14, improper input validation in the onCreate
method of MediaProjectionPermissionActivity.java
allows a malicious app to bypass this dialog. By crafting specific input to the activity, an attacker can obtain a valid MediaProjection token without triggering the user consent flow. This is a local privilege escalation: the malicious app does not require special permissions or user interaction beyond installation. The vulnerability is categorized as CWE-20 (Improper Input Validation).
No public code snippets are available for this issue, but the vulnerability is confirmed in the September 2025 Android Security Bulletin and several external advisories. The flaw is similar in impact to CVE-2018-9524, which previously affected a majority of Android devices by enabling UI overlay attacks to trick users into granting screen recording access.
Patch Information
Google addressed CVE-2025-32322 in the September 2025 Android Security Bulletin. The fix is included in security patch level 2025-09-05. Users and organizations should update affected devices to this patch level as soon as possible.
Reference: Android Security Bulletin September 2025
Affected Systems and Versions
- Android 13
- Android 14
Devices running these versions are vulnerable until updated to security patch level 2025-09-05 or later. The flaw exists in the MediaProjectionPermissionActivity component as implemented in these Android releases. No other versions are confirmed affected based on available advisories.
Vendor Security History
Google has previously addressed similar MediaProjection vulnerabilities, notably CVE-2018-9524, which allowed attackers to use UI overlays to trick users into granting screen recording access. That issue affected over 77 percent of Android devices at the time and highlighted the risks inherent in permission workflows for sensitive APIs. Google's patch response is generally prompt for core Android vulnerabilities, but device ecosystem fragmentation often results in slow patch adoption across the user base.