Background and Discovery This report provides details for a vulnerability,  CVE-2022-22292 , discovered by Kryptowire that is present in various Samsung Android devices running Android versions 9, 10, 11, and 12. The vulnerability allows  any  local app on the device (including third-party apps with zero permissions) to provide arbitrary  Intent  objects that will be used by a pre-installed app ( com.android.server.telecom ) executing as the  system  user to start an activity app component (even those that are not exported) of the attacker’s choosing, affecting Android versions 10, 11, and 12. The same vulnerability is present on Android 9, although it allows zero-permission third-party apps to provide arbitrary  Intent  objects that are sent to broadcast receiver app components by the same vulnerable pre-installed app executing as the  system  user (instead of being used to start arbitrary activity app components in...