CVE-2025-0087 is a medium-severity local privilege escalation vulnerability affecting Google Android versions 13, 14, and 15. The flaw exists in the onCreate method of the UninstallerActivity.java component, where a missing permission check allows an unprivileged local user to uninstall applications belonging to other users on the same device. This vulnerability arises from improper access control, specifically CWE-689 (Control Flow Manipulation). Exploitation does not require any additional execution privileges or user interaction, making it possible for a local attacker or malicious app to escalate privileges silently. The vulnerability impacts confidentiality slightly by enabling unauthorized removal of apps, and availability by potentially disrupting app functionality through uninstallation. The CVSS 3.1 base score is 5.1 (medium), reflecting the local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), limited confidentiality impact (C:L), no integrity impact (I:N), and low availability impact (A:L). No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability highlights the importance of strict permission checks in multi-user Android environments to prevent unauthorized app management actions.

For European organizations, this vulnerability could pose risks primarily on shared or multi-user Android devices, such as those used in enterprise mobility, kiosks, or shared work environments. Unauthorized uninstallation of critical business or security apps could lead to operational disruptions, loss of security controls, or exposure to further attacks if protective apps are removed. Although the confidentiality impact is limited, availability impact could affect business continuity, especially in sectors relying on mobile device management (MDM) solutions or secure app ecosystems. The lack of required user interaction increases the risk of stealthy exploitation by malicious insiders or compromised apps. Organizations with Bring Your Own Device (BYOD) policies or shared device usage should be particularly cautious. However, the vulnerability does not allow remote exploitation, limiting its impact to local attackers with device access.

European organizations should implement the following specific mitigations: 1) Enforce strict device access controls to limit local user access, including strong lock screen policies and user authentication. 2) Restrict installation of untrusted or unnecessary apps that could exploit this vulnerability. 3) Monitor device logs for unusual app uninstallations or activity related to UninstallerActivity. 4) Deploy Mobile Device Management (MDM) solutions that can detect and prevent unauthorized app removals and enforce app whitelisting. 5) Educate users about the risks of installing apps from unknown sources and the importance of device security hygiene. 6) Stay alert for official patches or updates from Google and apply them promptly once available. 7) For shared devices, consider isolating user profiles or limiting app management capabilities to trusted administrators only. These steps go beyond generic advice by focusing on controlling local access and monitoring app uninstall behaviors specific to this vulnerability.