What is CVE-2012-6335?

CVE-2012-6335 is a publicly disclosed cybersecurity vulnerability with a LOW severity rating and CVSS score of 3.3.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2012-6335

LOW3.3/ 10.0

Published: December 31, 2012 at 11:50 AM

Modified: April 11, 2025 at 12:51 AM

Source: cve@mitre.org

Vulnerability Description

The Anti-theft service in AVG AntiVirus for Android allows physically proximate attackers to provide arbitrary location data via a "commonly available simple GPS location spoofer."

CVSS Metrics

Base Score

3.3

Severity

LOW

Vector String

AV:A/AC:L/Au:N/C:N/I:P/A:N

Weaknesses (CWE)

NVD-CWE-noinfo

Source: nvd@nist.gov

AI Security Analysis

01 // Technical Summary

AVG AntiVirus for Android is vulnerable to location spoofing, allowing attackers to bypass the anti-theft service and provide false location data. This vulnerability enables attackers to mislead users and potentially compromise device security, leading to misinformation and data breaches. The ease of exploitation, using readily available tools, makes this a significant risk.

02 // Vulnerability Mechanism

Step 1: Preparation: The attacker obtains a GPS location spoofer application, readily available on the Google Play Store or through other means. These applications allow users to manually set GPS coordinates.

Step 2: Spoofing Activation: The attacker installs the GPS spoofer on a device (e.g., their own or one they have physical access to).

Step 3: Location Spoofing: The attacker uses the GPS spoofer to set the desired, arbitrary GPS coordinates. This could be a location far away from the actual device, or a location of interest.

Step 4: AVG Anti-Theft Interaction: The attacker triggers an action that causes the AVG Anti-Theft service to request the device's location (e.g., sending a remote command to locate the device).

Step 5: Data Reception and Trust: The AVG Anti-Theft service receives the spoofed GPS coordinates from the operating system, which is now providing the spoofed location data from the GPS spoofer application.

Step 6: Reporting False Location: The AVG Anti-Theft service reports the spoofed location to the user or the remote management console, providing inaccurate location information.

03 // Deep Technical Analysis

The vulnerability stems from insufficient validation of GPS data received by the AVG Anti-theft service. The service trusts location data provided without proper verification, allowing attackers to inject spoofed GPS coordinates. The root cause is a lack of input validation on the received location data. The service fails to check the origin or integrity of the GPS data, making it susceptible to manipulation. This flaw allows an attacker to bypass the intended security measures designed to track and protect the device.