AVBTestKeyInTheWild: Bypassing Android Verified Boot Using A Firmware Supply Chain Vulnerability on Locked Devices

The fragmented nature of the Android market makes it difficult to enforce consistent security practices across all devices and vendors. Low-level and hardware-bound components such as the bootloader, Fastboot, kernel, device drivers, and the recovery partition are vendor-specific. Each vendor must implement the standard Hardware Abstraction Layer interface for Android to communicate with the hardware. These deviations are typically located in the vendor partition of the device. We identify a critical vulnerability, which we name AVBTestKeyInTheWild, in the Android firmware supply chain that enables attackers to flash modified firmware images on locked devices without wiping the userdata partition. By exploiting weak signing practices, such as the use of Android Open Source Project test keys in production firmware, attackers can bypass bootloader integrity checks, retain user data, and compromise device security without user interaction. The vulnerability affects multiple manufacturers and devices, posing significant risks to user privacy, device integrity, and the Android ecosystem as a whole. We provide a detailed analysis of the attack path, demonstrate exploitation on devices from different System-on-Chip vendors, and highlight the limitations of current integrity verification mechanisms, such as Android Verified Boot and key attestation. As the vulnerability impacts multiple vendors, we decided to work with Google, in addition to the impacted OEMs, on the coordinated disclosure process to inform all involved parties properly. The vulnerability was reported privately with an ethical vendor response window of 90 days before public disclosure. While impacted devices can, to the best of our knowledge, not be fixed, we suggest detection mechanisms and recommendations for mitigating the vulnerability, including stricter firmware signing protocols, enhanced attestation processes, and improved testing frameworks, to prevent the production of vulnerable devices in the future.