← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2025-21615 · CWE-200 · Disclosed 2025-01-06

AAT

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a bike computer with a side pocket left open to other apps on the same phone

CVE-2025-21615 is an information disclosure flaw in AAT (Another Activity Tracker) where Android builds before v1.26 let a malicious app on the *same device* read AAT data, including geolocation/GPX content. GitHub's advisory marks <= v1.25.2 as affected and v1.26 as patched; the fix notes point to an Android-side change limiting the exported file-sharing path.

The vendor's MEDIUM 5.5 is technically fair in CVSS terms, but operationally it's too loud for enterprise patch triage. This is AV:L + UI:R, requires a second malicious app to already land on the phone, hits a niche fitness app, and the blast radius is usually one user / one device / confidentiality only. For a team managing 10,000 hosts, that is backlog material unless you specifically manage Android devices with AAT installed.

"Real bug, real privacy loss, but it is a niche Android local-app issue—not a fleet-wide patch fire."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Land a malicious Android app on the device

The attacker first needs a separate Android app on the same handset. Weaponized tool: a trojanized APK or sideloaded utility abusing Android app-to-app access patterns; there is no public PoC repo surfaced in primary-source searches, so the attacker is mostly working from the advisory and patch diff.
Conditions required:
  • Target uses the Android variant of AAT
  • Attacker can get a second app installed on the same phone
  • User permits installation or the app arrives through another compromise path
Where this breaks in practice:
  • This is already post-initial-access on the endpoint
  • Managed Play / MDM allowlists, app reputation, and mobile EDR reduce reachable population
  • AAT is a niche app, so many enterprises will have zero exposure
Detection/coverage: Network scanners will miss this entirely. Detection lives in MDM/mobile EDR/app inventory: look for package ch.bailu.aat plus unapproved sideloaded apps.
STEP 02

Query the exposed AAT sharing surface

Before v1.26, a malicious app can interact with AAT's Android-side file/provider path and read data it should not receive. Weaponized tool: an Android app issuing content:// reads or equivalent provider access against AAT's exported sharing component, as implied by the advisory and the v1.26 fix replacing the broad provider path with a more limited GpxSendViewProvider implementation.
Conditions required:
  • Vulnerable AAT version <= v1.25.2
  • Attacker app can invoke Android content/provider APIs locally
  • AAT has stored track data on the device
Where this breaks in practice:
  • No remote path from the internet
  • Exploit value drops to near-zero if the user never stored meaningful track history
  • Patch diff suggests the issue is narrow and specific, not a broad platform bypass
Detection/coverage: Traditional vuln scanners have poor coverage. Mobile telemetry that records inter-app provider access may catch it; most enterprise tools will only confirm the vulnerable package version.
STEP 03

Read GPX and geolocation data

Once the provider is reached, the attacker can pull sensitive activity records, including geolocations. Weaponized tool: local exfil code inside the malicious app that parses GPX or related AAT data and turns it into route history, home/work patterns, or location intelligence.
Conditions required:
  • AAT contains track history or exported files worth stealing
  • Attacker app successfully reads the provider output
Where this breaks in practice:
  • Impact is confidentiality only; no integrity or availability impact is documented
  • Data scope is confined to what AAT stores for that user
  • Blast radius is per-device, not tenant- or domain-wide
Detection/coverage: DLP and network egress controls may only see generic HTTPS from the malicious app. The strongest signal is still package/version inventory plus suspicious unapproved apps on managed phones.
STEP 04

Exfiltrate off-device

The stolen location history then leaves the handset over normal app traffic. Weaponized tool: commodity HTTPS upload from the malicious app to attacker infrastructure; nothing about this CVE grants broader device takeover by itself.
Conditions required:
  • Attacker controls an external collection endpoint
  • Device has outbound connectivity
Where this breaks in practice:
  • Mobile network controls may block unknown destinations
  • Even successful theft usually exposes one user's activity history, not enterprise crown jewels
  • No evidence of wide in-the-wild exploitation or KEV listing
Detection/coverage: Possible via mobile threat defense, DNS filtering, CASB/SWG for managed devices, or retrospective traffic analytics. CVE-specific signature coverage is likely weak.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo public active exploitation evidence found in primary-source review, and the flaw is not in CISA KEV.
Proof-of-concept availabilityNo public exploit repo or vendor PoC found in primary-source searches. The main attacker aid is the public patch diff and release notes.
EPSSUser-provided EPSS is 0.00103 (~0.103% 30-day probability), which is firmly low-signal for prioritization.
KEV statusNot listed in the CISA Known Exploited Vulnerabilities catalog.
CVSS vector reality checkCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N means local-only, user interaction required, and confidentiality-only impact. That is a classic downward-pressure enterprise profile.
Affected versionsGitHub advisory and OSV indicate AAT versions below v1.26 are affected; GitHub explicitly lists <= v1.25.2.
Fixed versionPatched in v1.26. The release note says: *Fix security issue in GpxSendViewProvider: limit access to only exported file*.
Exposure / scanning realityShodan/Censys/GreyNoise are basically irrelevant here. This is not an internet-facing service; exposure depends on whether managed Android devices have package ch.bailu.aat installed.
Disclosure chronologyPublished 2025-01-06; NVD shows the record as not scheduled for enrichment, so vendor/GitHub material is the authoritative detail source.
Reporter / maintainer signalThe advisory was published by the project maintainer on GitHub; no separate external researcher credit is named in the advisory.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to LOW (2.8/10)

The decisive factor is attacker position: exploitation requires a malicious app already installed on the same Android device, which makes this a post-initial-access mobile privacy bug rather than a remotely reachable enterprise compromise path. The second amplifier in the opposite direction is that the data can include precise geolocation, but that still does not overcome the narrow exposure population and one-device blast radius.

HIGH Attack-path friction: local malicious-app prerequisite materially suppresses enterprise urgency
MEDIUM Deployment prevalence: AAT appears niche, but exact fleet prevalence depends on your mobile estate

Why this verdict

  • Downgrade for attacker position: this is AV:L on Android and effectively requires a second malicious app on the same phone, so the attacker is already past the hardest part
  • Downgrade for reachable population: AAT is a niche activity-tracker, not a mainstream enterprise platform, so most 10k-host fleets will have little to no installed base
  • Keep it above IGNORE: the confidentiality impact is real because stored location history and GPX data can expose sensitive movement patterns

Why not higher?

There is no unauthenticated remote path, no server-side foothold, no tenant-wide blast radius, and no integrity/availability damage. Even successful exploitation usually compromises one user's stored activity data after the attacker has already landed code on that handset.

Why not lower?

This is still a genuine data-exposure flaw, not a theoretical hardening issue. If your org manages Android devices used for field work, executive protection, or sensitive travel, location leakage can matter even when the CVE is operationally narrow.

05 · Compensating Control

What to do — in priority order.

  1. Inventory ch.bailu.aat — Use MDM, EMM, or app inventory to identify managed Android devices with AAT installed. For a LOW verdict there is no mitigation SLA; treat this as backlog hygiene and use the inventory result to decide whether the CVE is even present in your fleet.
  2. Block unapproved app installs — The exploit chain needs a second malicious app on the same device, so Managed Play allowlists, anti-sideload policy, and mobile threat defense directly attack the strongest prerequisite. For LOW, keep this in your standing mobile hardening program rather than spinning an emergency change.
  3. Prefer work-profile / managed-device controls — Enterprise-managed Android modes reduce random app coexistence and make malicious local-app placement harder. That is a better risk reducer than treating this as a generic network vulnerability.
  4. Update AAT where present — Where the app exists, move to v1.26 or later through your normal mobile app maintenance channel. For LOW, there is no special accelerated deadline; queue it as routine patch hygiene.
What doesn't work
  • Perimeter firewalls or WAFs: this flaw is not network-reachable
  • Server vulnerability scanning: Nessus/Qualys network scans will not see a local Android app-to-app data leak
  • Password resets or MFA prompts: the advisory describes local data access, not account takeover
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation with adb installed against a connected Android device or emulator. Example: ./check_aat_cve_2025_21615.sh emulator-5554 or ./check_aat_cve_2025_21615.sh R58M1234567; it needs ADB shell access but not root.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# check_aat_cve_2025_21615.sh
# Verify whether Android package ch.bailu.aat is vulnerable to CVE-2025-21615.
# Vulnerable: AAT <= 1.25.2
# Patched:    AAT >= 1.26
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / not installed / unable to determine

set -euo pipefail

PKG="ch.bailu.aat"
DEVICE_ARG="${1:-}"
ADB=(adb)
if [[ -n "$DEVICE_ARG" ]]; then
  ADB+=( -s "$DEVICE_ARG" )
fi

fail_unknown() {
  echo "UNKNOWN: $1"
  exit 2
}

version_ge() {
  # returns 0 if $1 >= $2
  local IFS=.
  local i
  local -a v1=($1) v2=($2)
  local len=${#v1[@]}
  if (( ${#v2[@]} > len )); then len=${#v2[@]}; fi
  for ((i=${#v1[@]}; i<len; i++)); do v1[i]=0; done
  for ((i=${#v2[@]}; i<len; i++)); do v2[i]=0; done
  for ((i=0; i<len; i++)); do
    local a=${v1[i]//[^0-9]/}
    local b=${v2[i]//[^0-9]/}
    a=${a:-0}
    b=${b:-0}
    if ((10#$a > 10#$b)); then return 0; fi
    if ((10#$a < 10#$b)); then return 1; fi
  done
  return 0
}

# Basic device reachability
"${ADB[@]}" get-state >/dev/null 2>&1 || fail_unknown "ADB device not reachable"

# Confirm package is installed
if ! "${ADB[@]}" shell pm path "$PKG" >/dev/null 2>&1; then
  fail_unknown "Package $PKG is not installed on target device"
fi

# Pull package metadata
DUMPSYS=$("${ADB[@]}" shell dumpsys package "$PKG" 2>/dev/null || true)
[[ -n "$DUMPSYS" ]] || fail_unknown "Unable to query package metadata"

VERSION_NAME=$(printf '%s\n' "$DUMPSYS" | sed -n 's/.*versionName=\([^[:space:]]*\).*/\1/p' | head -n1 | tr -d '\r')
VERSION_CODE=$(printf '%s\n' "$DUMPSYS" | sed -n 's/.*versionCode=\([0-9][0-9]*\).*/\1/p' | head -n1 | tr -d '\r')

if [[ -z "$VERSION_NAME" && -z "$VERSION_CODE" ]]; then
  fail_unknown "Could not parse versionName/versionCode for $PKG"
fi

# Prefer versionName when present; fall back to versionCode.
if [[ -n "$VERSION_NAME" ]]; then
  if version_ge "$VERSION_NAME" "1.26"; then
    echo "PATCHED: $PKG versionName=$VERSION_NAME"
    exit 0
  else
    echo "VULNERABLE: $PKG versionName=$VERSION_NAME"
    exit 1
  fi
fi

# Fallback mapping from public release metadata: v1.26 corresponds to versionCode 40.
if [[ -n "$VERSION_CODE" ]]; then
  if (( VERSION_CODE >= 40 )); then
    echo "PATCHED: $PKG versionCode=$VERSION_CODE"
    exit 0
  else
    echo "VULNERABLE: $PKG versionCode=$VERSION_CODE"
    exit 1
  fi
fi

fail_unknown "Reached unexpected state"
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, first prove you even have exposure: query your mobile inventory for Android package ch.bailu.aat. If it is absent, document the rationale and move on. If it is present, queue v1.26+ through normal mobile app maintenance and make sure anti-sideload / app-allowlist controls are enforced on those devices. For this LOW reassessment, the noisgate mitigation SLA is no SLA — treat as backlog hygiene, and the noisgate remediation SLA is likewise backlog hygiene rather than an expedited patch window.

Sources

  1. NVD CVE-2025-21615
  2. GitHub Security Advisory GHSA-pwpm-x58v-px5c
  3. OSV record for CVE-2025-21615
  4. AAT release v1.26
  5. Fix commit 122fa650877f276e20eb958f77c2d4b06dc27b3b
  6. AAT repository README
  7. F-Droid package page for ch.bailu.aat
  8. CISA Known Exploited Vulnerabilities catalog
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.