Recently I detected a security vulnerability in Android’s SQLite engine which can be exploited by a non-privileged application in order to disclose sensitive information. It enables a malicious application to eavesdrop on database activities performed by any other application using SQLite, allowing unauthorized access to information such as URL history, messages, and contacts.

The complete advisory can be found here.

Demo of the PoC:


I would like to thank the Android Security Team for the efficient and quick way in which they handled this security issue.