---
Summary
CVE-2024-49733 is a newly discovered Android vulnerability involving ServiceListing.java. Due to a logic error, it’s possible for a malicious app to hide a Network Location Service (NLS) from the Android Settings menu. Essentially, this means a rogue app could silently influence what’s shown to users, leaking or hiding important system details — all without needing extra privileges or any user action.
Let’s break down how it happens, why it matters, reference key sources, and show a simple proof of concept for demonstration.
What Is ServiceListing.java?
ServiceListing.java is a system file in Android. It manages lists of system-level services and tells Settings what to show. For example, if an app provides location data, it’s listed here so users can see or change which app is in control.
Where’s the Bug?
The main issue is how the reload process is handled in ServiceListing.java. When an app’s info is reloaded, a logic check is supposed to ensure only authorized NLS providers are visible. But due to a faulty logic path, a malicious app can break this chain — and disappear from Settings, making itself invisible for audits or control.
The full bug report and fixes are referenced here
- Android Security Bulletin—June 2024
- AOSP Code Review For ServiceListing.java
Let’s review the risky code (simplified for clarity)
public void reload() {
List<ServiceInfo> services = getAvailableServices();
if (services != null) {
for (ServiceInfo service : services) {
// Here’s where the bug is: there’s no check for service permissions
if(service.isNLS()) {
// Malicious apps can set this to false and hide themselves
if (!service.isVisible()) {
continue;
}
mServices.add(service);
}
}
}
}
What's wrong?
A malicious service can manipulate the return value of isVisible() via its own app’s manifest or component, causing continue; to silently skip it. No permission is needed and the Settings UI simply never shows the app anymore.
Disappear from the Settings menu, making users unable to see which app is controlling NLS features.
No root, no elevated rights, and no user prompt required.
Avoid detection or uninstallation by regular users.
This is technically an information disclosure vulnerability, because users and the system UI are duped.
Exploit Proof-of-Concept (PoC)
Here’s a simplified example of how an app could exploit this.
AndroidManifest.xml
<service
android:name=".MalNLS"
android:permission="android.permission.BIND_NLS_SERVICE"
android:exported="true"
android:enabled="true">
<intent-filter>
<action android:name="android.location.service" />
</intent-filter>
<meta-data
android:name="android.nls.visible"
android:value="false"/> <!-- key flag -->
</service>
Explanation:
With android.nls.visible = false, the ServiceListing parser skips it during reload. As long as the app is installed, it's hidden from Settings.
Users should install apps only from trusted sources and update firmware regularly.
- Developers must ensure ServiceListing.java checks extra constraints before skipping listing services.
Conclusion
CVE-2024-49733 is a good example of how a small logic bug can have an outsized security impact — making system-level apps disappear from critical security settings. Users can’t defend themselves unless their device vendor pushes a patch.
Stay updated, stay secure.
References
- Android Security Updates
- ServiceListing.java on AOSP
- CVE Details on MITRE
Timeline
Published on: 01/21/2025 23:15:14 UTC
Last modified on: 03/14/2025 18:15:30 UTC