Researchers have uncovered a fatal flaw in the trust architecture of mobile devices.
Just when it seemed that the threat of “Juice Jacking” was a thing of the past, new research has reminded us how fragile mobile device security still is. Despite efforts by Apple and Google, attackers have found ways to bypass trust verification when charging phones via USB — and the methods are alarmingly simple.
The first attempts to defend against "Juice Jacking" emerged about ten years ago. The idea behind the attack was to gain access to files or execute code on a phone through a specially designed malicious charger. To prevent such interference, operating systems began prompting users for permission to transfer data when connecting a cable. However, a team of researchers from Graz University of Technology found that this protection could easily be bypassed.
They developed an attack called ChoiceJacking, which allows a malicious charger to confirm access requests on its own, mimicking the user's actions. This became possible due to flawed assumptions in the USB protocol’s trust architecture: operating systems assumed devices couldn't simultaneously act as hosts and issue commands. In practice, this assumption proved wrong.
Three variants of the attack successfully bypass Android’s defenses, and one even works against Apple devices. In all cases, the malicious charger first connects as a peripheral — for example, a keyboard — to send commands. It then switches roles to become a host and initiates a data access request, while simultaneously continuing to send confirmation commands via a Bluetooth connection, bypassing the on-screen permission prompts.
In practice, the attack looks like this: the connected phone starts receiving commands to enable Bluetooth, open settings, accept pairing requests, and approve data access — all without the user’s awareness. Tests showed that a successful compromise takes just about 25–30 seconds.
Nearly all popular smartphone models were found vulnerable to this method. Only a single Vivo smartphone, with a custom USB protocol implementation that doesn't support power role switching, was immune. All other devices were affected, especially if USB debugging mode — which grants broader system access than ordinary file transfers — was enabled.
Besides the main attack method, researchers discovered two additional ways to bypass Android defenses. One exploits features of the Android Open Accessory Protocol, allowing a charging device to issue commands without explicitly switching the phone into accessory mode. Another relies on overwhelming the Android input manager with a specially crafted stream of events, enabling attackers to confirm access before the phone can properly process new requests.
The research findings prompted some reactions from companies. Apple patched the vulnerability in iOS/iPadOS 18.4, now requiring a password or PIN entry to allow data transfers. Google implemented a similar requirement in Android 15. However, Android’s ecosystem fragmentation has slowed the rollout — many third-party devices still haven’t received the necessary updates, and some, like Samsung smartphones running One UI 7, have not implemented the new protection at all.
According to the researchers, the root of the issue lies in balancing security and usability. Manufacturers are reluctant to overhaul USB connection principles because doing so would make file transfers less convenient, requiring extra authentication steps each time.
ChoiceJacking poses a particular risk for devices with USB debugging enabled. In a successful attack, attackers could install apps, modify files, and execute commands directly on the phone.
The discovered vulnerabilities were assigned the following identifiers:
- CVE-2025-24193 (Apple)
- CVE-2024-43085 (Google)
- CVE-2024-20900 (Samsung)
- CVE-2024-54096 (Huawei).
Google confirmed patches in Android 15, but the status of devices from other manufacturers remains uncertain. Apple declined to comment.
Although there have been no confirmed real-world cases of ChoiceJacking exploitation so far, the new findings will likely strengthen calls to avoid using public charging stations — especially for users whose devices lack the latest security updates.
