External risk intelligence

Android Package Installer DPC App Removal Privilege Escalation

CVE advisorySeverity: CRITICAL (CVSS 10.0)

CVE-2026-0068

A vulnerability exists in the Android Package Installer Service that could allow a malicious app to remove a DPC app without consent, potentially leading to local privilege escalation. Exploitation requires local access and user interaction to install a malicious application. Confirming relevance and exposure on manage

Halo Surface Signal

Very unlikely · external exposure

1Halo Surface Signal

This vulnerability exists within the local PackageInstallerService of an Android device. Exploitation requires local access, user interaction, and physical manipulation of the device to install a malicious application, making it fundamentally internal and not reachable via the public internet.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability found in Android's Package Installer Service that could allow a malicious app to remove a trusted administrative app without explicit consent. While exploitation requires user interaction and local access, it represents a potential pathway for privilege escalation on managed devices. The primary concern is to confirm if this specific vulnerability is relevant to your managed Android environment.

  • App removal risk without consent.
  • Potential for unauthorized privilege escalation.
  • Confirm relevance and exposure on managed devices.

Attack Path

How an attacker could exploit the issue

An attacker could gain unauthorized control over a managed device by exploiting a flaw in the Package Installer Service, allowing them to remove a device management app without administrative consent. This is achievable if an attacker can trick a user into installing a malicious application, which then leads to privilege escalation.

  • Requires local access and user interaction.
  • Triggered by installing a malicious app.
  • Risk of unauthorized device control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow a malicious app to be installed on a managed device, potentially removing a Device Policy Controller (DPC) app without administrator consent. This could occur when a user installs a malicious app that exploits a desynchronization issue in the Package Installer Service, leading to a local privilege escalation.

  • Managed device DPC app.
  • User installs malicious app.
  • Privilege escalation on device.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical vulnerability in Android's PackageInstallerService, allowing a malicious app to remove a DPC app without consent, requires careful ownership and triage. The primary concern is identifying devices with the affected PackageInstallerService, confirming exposure, and then engaging the appropriate team for remediation.

  • Own by Device Management/Endpoint Security.
  • Verify impacted devices and user context.
  • Plan coordinated DPC re-enrollment and patching.

Supplementary metadata

PCI scan relevance

Yes

CVE-2026-0068 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for the removal of a DPC app from a managed device without consent, which could lead to local privilege escalation. Such an authorization bypass would likely cause an ASV scan failure.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Android PackageInstallerService?

It is a core system component in the Android operating system responsible for managing the installation, updates, and removal of applications. In enterprise environments, it works alongside Device Policy Controllers (DPC) to enforce security configurations on managed devices. This vulnerability involves how that service handles the persistence and synchronization of these administrative applications.

What does CWE-362 mean for CVE-2026-0068?

CWE-362 refers to a Race Condition. In the context of this CVE, it describes a flaw where the system's internal state becomes desynchronized during the app installation process. This timing discrepancy can be manipulated to remove a critical management application, effectively tricking the system into bypassing the consent requirements that normally protect administrative tools.

How is CVE-2026-0068 triggered?

An attacker triggers this by convincing a user to install a malicious application onto their device. The bug is not triggered by simply browsing the web or receiving data remotely. It requires a specific sequence of local events, including the user manually installing the rogue software, which then exploits the desynchronization issue to gain elevated privileges.

Is my device exposed to CVE-2026-0068?

Halo Surface Signal classifies this as highly unlikely to be exposed via the internet because the flaw exists within the local PackageInstallerService. Because exploitation requires physical access, local installation, and direct user interaction, it is fundamentally an internal threat rather than a remote network attack vector.

What should I do if I manage Android devices?

Prioritize identifying your fleet of managed devices and verify your current patch level. Coordinate with your endpoint security teams to monitor for unauthorized removal of Device Policy Controller applications. Since this involves privilege escalation, your primary defense is ensuring users only install authorized software and planning for a coordinated update once the manufacturer releases a fix.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished