Preface: Android Auto is a platform running on the user’s phone, projecting the Android Auto user experience to a compatible in-vehicle infotainment system over a USB connection. Android Auto supports apps designed for in-vehicle use.

Background: The Android for Cars App Library lets you bring your navigation, point of interest (POI), and internet of things (IOT) apps to the car.

Android[.]car[.]app

Interfaces

OnDoneCallback – A host-side interface for handling success and failure scenarios on calls to the client.

OnRequestPermissionsListener – A listener with the results from a permissions request.

OnScreenResultListener – A listener to provide the result set by a Screen.

SurfaceCallback – A callback for changes on the SurfaceContainer and its attributes.

Vulnerability details: There exists a code execution vulnerability in the Car App Android Jetpack Library. In the CarAppService desrialization logic is used that allows for arbitrary java classes to be constructed. In combination with other gadgets, this can lead to arbitrary code execution. An attacker needs to have an app on a victims Android device that uses the CarAppService Class and the victim would need to install a malicious app alongside it. We recommend upgrading the library past version 1.7.0-beta02

Official announcement: Please see the link below for details – https://nvd.nist.gov/vuln/detail/cve-2024-10382