Android Zero-Click Vulnerability Enables Remote Shell Access

Google’s May 2026 Android Security Bulletin has revealed a catastrophic zero-click vulnerability residing within the core Android System. This critical flaw poses a significant threat to mobile security.

The CVE-2026-0073 flaw in Android’s adbd daemon lets nearby threat actors remotely gain full shell access without victim interaction.

Unearthed by BARGHEST security researchers, this critical cryptographic breakdown completely shatters Android’s debugging trust model, transforming a standard developer tool into an invisible, weaponized backdoor.

Android Zero-Click PoC Released

The foundation of CVE-2026-0073 is a cryptographic logic error in the adbd_tls_verify_cert function of the auth.cpp file.

Modern wireless ADB connections rely on mutual TLS authentication to ensure that a connecting client is a previously paired and trusted host.

During this handshake, the system uses the EVP_PKEY_cmp API to compare the client’s certificate public key against authorized RSA keys stored on the device.

If an attacker supplies a non-RSA certificate, such as EC P-256 or Ed25519, the comparison API returns -1 to flag a cross-algorithm mismatch.

Because the underlying C++ implementation treats all non-zero integers as a boolean success, the daemon incorrectly validates the attacker’s mismatched certificate as a trusted host key.

While the logic flaw is straightforward, weaponizing it requires precise manipulation of protocol.

An attacker must first establish a TCP connection, successfully negotiate the STLS upgrade sequence, and then supply the malicious cross-algorithm certificate.

Once this authentication gate is bypassed, the attacker can resume ADB framing inside the encrypted tunnel to open a remote shell.

This grants the attacker execution privileges as the shell user, allowing them to bypass normal application sandboxes.

Consequently, threat actors can extract sensitive personal information, abuse package management to silently install malicious applications, and manipulate system settings to stage further device exploitation.

According to Barghest Research, the vulnerability mainly affects Android 14, 15, and 16 devices under specific state conditions.

Successful exploitation demands the following prerequisites:

• Developer options are actively enabled on the target device.
• Wireless debugging, or ADB over TCP, is exposed on the network.
• The device trust store contains at least one previously paired RSA host key.
• The attacker has adjacent network reachability to the device’s ADB TCP port 5555.

Device users and enterprise administrators must apply the May 2026 security patch immediately to resolve this critical flaw.

To proactively reduce attack surfaces, users should turn off wireless debugging on untrusted networks and revoke authorizations for unknown debugging hosts.

Turning off Developer options entirely when not in use is highly recommended to protect against automated local network exploitation attempts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.