CVE-2026-0089: Android PackageInstallerService Permission Check Bypass – Local Privilege Escalation
CVE-2026-0089 is a vulnerability in Android's PackageInstallerService that allows a local attacker with basic user-level permissions to bypass security checks and install applications without proper verification. Because the vulnerability exists in multiple functions that lack proper permission validation, an attacker can escalate their privileges by sidestepping the normal app installation safeguards. No user interaction or special device access is required to exploit this flaw once an attacker has obtained standard user privileges on the device.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.8 HIGH · CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-269
- Affected products
- 3 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
In multiple functions of PackageInstallerService.java, there is a possible way to install unverified apps due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in PackageInstallerService.java within multiple functions that handle application installation. The root cause is a missing permission check (CWE-269: Improper Access Control) that fails to properly validate whether the calling process has the authority to install packages. An attacker with local access and standard Linux user privileges can invoke these functions directly, bypassing the intent permission model that normally restricts package installation to the system installer or explicitly granted callers. The absence of this validation allows installation of arbitrary applications without the signature verification and security policy checks that would normally be enforced.
Business impact
If exploited, this vulnerability enables unauthorized installation of malicious applications on Android devices with standard user-level access. An attacker could install spyware, ransomware, or other malicious apps to steal data, monitor communications, or take control of device functions. For organizations managing Android devices, this represents a significant supply-chain and endpoint security risk; any standard user account compromise immediately becomes a pathway to broader device compromise. The lack of required user interaction means the attack can occur silently without alerting the device owner.
Affected systems
This vulnerability affects Google Android across multiple versions. The source data indicates the vulnerability impacts Android broadly; organizations should verify the specific version range with Google's security advisory to determine which devices in their fleet are affected. Both the core Android OS and any devices running vulnerable Android versions are at risk if a local attacker gains user-level access.
Exploitability
The vulnerability is relatively straightforward to exploit once an attacker has local access to the device with standard user privileges. The attack requires no special capabilities, elevated permissions, or user interaction—the attacker can directly call the vulnerable PackageInstallerService functions to install unverified applications. However, initial compromise to obtain user-level access would still be required; this is not a remote vulnerability. The lack of additional prerequisites makes it a critical post-compromise escalation vector for mobile threat actors.
Remediation
Apply security updates from Google for Android as soon as they become available. Google has modified PackageInstallerService.java to implement proper permission validation in the affected functions. The patch ensures that installation requests are correctly validated against the Android permission model before allowing package installation. Device owners should enable automatic security updates and prioritize deployment of patches to minimize the window of vulnerability.
Patch guidance
Monitor Google's Android Security & Privacy Release Bulletin for the official patch version addressing CVE-2026-0089. Apply the patch through your standard Android update mechanism—either automatic updates on personal devices or through your mobile device management (MDM) solution for enterprise deployments. Because this is a local privilege escalation vulnerability, patching is important to defense-in-depth posture, particularly in environments where user accounts may be compromised. Verify patch deployment completion to ensure no devices remain unpatched.
Detection guidance
Monitor system logs for suspicious PackageInstallerService invocations, particularly from non-standard caller processes or applications that should not have installation privileges. Endpoint detection and response (EDR) tools on Android can flag unexpected application installations that bypass standard system installer channels. Look for installation of unsigned or unverified applications, unexpected package manager activity, and installation events that do not correlate with user app store activity. On enterprise devices, mobile threat defense (MTD) solutions can detect unusual installation patterns and combinations with other suspicious activity.
Why prioritize this
This vulnerability scores 7.8 (HIGH) under CVSS v3.1 due to high impact (confidentiality, integrity, and availability all affected) with low attack complexity and low privilege requirements. The absence of required user interaction is particularly concerning; an attacker who has gained initial user-level access can exploit this silently and immediately. While not yet in the CISA Known Exploited Vulnerabilities catalog, the straightforward nature of exploitation and the criticality of preventing unauthorized app installation make this a priority for patching, especially in organizations handling sensitive data on mobile devices.
Risk score, explained
The 7.8 HIGH severity reflects the combination of: (1) high impact—installation of malicious apps compromises all three confidentiality, integrity, and availability dimensions of device security; (2) low attack complexity—the vulnerability is inherent in the function logic and requires no special conditions; (3) low privilege requirements—only standard user-level access is needed; (4) no user interaction required—the exploit occurs automatically once triggered. The local attack vector prevents a critical rating, but the ease of exploitation and potential for complete device compromise within an already-compromised user context makes this a high-priority vulnerability.
Frequently asked questions
If my Android device is updated, am I protected from this vulnerability?
Yes, once you apply the security patch addressing CVE-2026-0089, the missing permission check is remediated and the vulnerability is closed. Ensure automatic updates are enabled, or manually verify your device is running the latest security patch level through Settings > System > System Update.
Can this vulnerability be exploited remotely?
No. CVE-2026-0089 is a local vulnerability requiring the attacker to already have access to the device as a standard user. An attacker cannot exploit this directly from the network; however, once a device is compromised through other means (malware, phishing, or credential compromise), this vulnerability becomes a silent escalation vector.
Why does this matter if an attacker already has user access?
An attacker with standard user privileges normally cannot install arbitrary applications—Android's permission model restricts package installation. This vulnerability removes that guardrail, allowing the attacker to install spyware or other malicious apps without the compromised user's awareness or intervention. It turns a limited user compromise into full device compromise.
Is this vulnerability being actively exploited?
As of the publication date, this vulnerability is not listed on CISA's Known Exploited Vulnerabilities catalog. However, given the ease of exploitation and the value of unauthorized app installation for threat actors, organizations should treat patching as urgent rather than waiting for evidence of active exploitation.
This analysis is based on publicly available information as of the publication date. No exploit code or proof-of-concept is provided. Organizations must verify patch availability and version numbers against official Google Android Security Advisories before implementation. This vulnerability requires local device access; it is not remotely exploitable. For enterprise deployments, consult your MDM vendor and mobile security team for coordinated patching strategies. SEC.co assumes no liability for the accuracy of third-party vendor information or for damages resulting from patch deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-0009HIGHAndroid Tapjacking Local Privilege Escalation Vulnerability
- CVE-2026-0091HIGHAndroid Launcher Privilege Escalation Vulnerability (CVSS 7.8)
- CVE-2026-0016LOWAndroid Credential Manager Permission Bypass & Cross-User Data Disclosure
- CVE-2026-0046MEDIUMAndroid Tapjacking Permission Escalation Vulnerability
- CVE-2026-0048MEDIUMAndroid Tapjacking Vulnerability – Privilege Escalation via WindowState
- CVE-2026-0050LOWAndroid Bluetooth Permissions Bypass Information Disclosure
- CVE-2026-0055MEDIUMAndroid Path Traversal in PackageInstallerService Enables Local Privilege Escalation to Device Policy Controller
- CVE-2026-0086MEDIUMAndroid DisableSupervisionActivity Privilege Escalation via Null Check Bypass