Beware of Malicious Apps on Your Element Android Device

CVECVE-2024-26131
CVSScvssV3_1: 8.4
SourceCVE-2024-26131

Element Android is a popular messaging app for Android devices. Unfortunately, versions 1.4.3 through 1.6.10 of Element Android are vulnerable to an intent redirection attack.

This vulnerability allows a malicious third-party app installed on the same device to launch any internal activity within Element Android by passing extra parameters with intents. Attackers could exploit this to display arbitrary web pages within the app, run JavaScript code without permission, or bypass the PIN lock screen. Most concerning is the ability to trigger the login screen and steal users’ account credentials.

The attack works by abusing Android’s inter-app communication system called intents. Malicious actors develop apps that request sensitive permissions like accessing the internet. Once installed, these apps can launch internal activities in Element Android like the login page without the user’s knowledge.

The good news is this issue has been fixed in Element Android version 1.6.12. However, users with vulnerable versions still need to be cautious of installing untrusted apps that could exploit this flaw. The best way to protect yourself is to only download apps from official app stores and keep Element Android updated to the latest version. You should also consider removing any recently installed apps if you notice any strange behavior in your messaging activities. Staying vigilant against malicious mobile apps is key to protecting your online accounts and privacy.

References