Android Framework dumpBitmapsProto Missing Permission Check Local Privilege Escalation

Repository is a standalone Android PoC for CVE-2026-0047, a missing permission check in ActivityManagerService.dumpBitmapsProto() on vulnerable Android 16 QPR2 Beta builds. It contains two Android application modules plus an automation script. The app/ module is an audit/demo PoC with a UI that can enumerate system services, test Binder dump exposure, simulate the vulnerable/patched behavior via a local FakeAmsService, and trigger the real Binder-based exploit path against the Android 'activity' service. The attacker/ module is a more realistic disguised app ('Flashlight Pro') that silently performs data harvesting and demonstrates exfiltration behavior, including scanning readable /proc files, installed packages, settings/content-provider accessible data, and external storage paths, then attempting the same bitmap-dump abuse. Both modules include local simulated vulnerable services to illustrate the bug class and patch. The main exploit capability is local privilege bypass/information disclosure via raw Binder IPC, not remote network exploitation. The shell script exploit.sh automates emulator setup, vulnerability probing with 'service call activity 117', APK build/install, UI interaction to trigger exploitation, and extraction of resulting bitmap artifacts from app-private storage. The exploit uses a crafted Parcel/ParcelFileDescriptor pipe to invoke dumpBitmapsProto() without android.permission.DUMP, then parses returned protobuf-like output for embedded PNG signatures and extracts stolen UI images. This is a real exploit PoC rather than just a detector, though it is operational/demo-grade rather than framework-weaponized. No hardcoded C2 or external exfiltration endpoints are present; exfiltration is local to device/app storage and host-side ADB retrieval.