July 8, 2026
# How I Found CVE-2026–0098: Android App Version Spoofing & Silent Installation
**By Prashant Deshmukh (sivedcodes)** · *Published on [Medium/Dev.to]*
By Prashant Deshmukh
1 min read
How I Found CVE-2026–0098: Android App Version Spoofing & Silent Installation
— -
In early 2026, while conducting security research at V-Patrol AI Pvt. Ltd., I discovered a vulnerability that allowed an attacker to spoof an application's version number and trigger silent installations on Android devices — without the user's consent.
This vulnerability was assigned CVE-2026–0098 and was subsequently patched by Google in May 2026.
— -
The Discovery
I was reverse-engineering APKs using JADX and Ghidra, specifically looking at how the Play Store and system installers validate package signatures and version codes. During my analysis, I noticed something unusual in the way PackageManager and Intent resolution handled versionCode comparisons.
The exploit chain looked like this:
- Version Spoofing — By manipulating the
AndroidManifest.xmlduring repackaging, an attacker could present a lower versionCode than the installed app, triggering an "update" flow. - Silent Installation — Combined with specific
INSTALL_PACKAGESpermission abuse and Intent manipulation, the installation could proceed without user interaction on devices running certain Android versions.
Proof of Concept
I built a PoC using my APK Binder framework that:
- Decompiled a target APK
- Modified the
versionCodeandversionNamein the manifest - Repackaged and resigned the APK
- Delivered it via a malicious app that abused
FileProviderandIntentflags
Responsible Disclosure Timeline
| Date | Event | | — — — | — — — -| | Feb 2026 | Vulnerability discovered during internal research | | Feb 2026 | Reported to Google via VRP | | Mar 2026 | Google triages and confirms | | May 2026 | Security patch released (CVE-2026–0098) | | May 2026 | Public disclosure |
Key Takeaways
- Always verify version codes server-side, not just client-side
- Use
PackageManager.getPackageInfo()with proper flags - Never trust
Intentextras orFileProviderURIs from unknown sources
— -
This is the first of a series on Android security research. Follow me for more.