New attack vector for Android infotainment: Quick Share is coming to Android for cars, so here are the protocol details and RCE chain. 🚗 👻 📱🚨
Security researchers Or Yair and Shmuel Cohen shared some interesting details about one of the most handy features in modern Android - Quick Share. This protocol allows you to transfer files between Android mobile devices and is now also available on Windows.
The authors focused their research on the Windows implementation of Quick Share and found a rather interesting kill chain that led to Remote Code Execution. Along the way, they also shared a lot of information about the protocol details that may be useful for future research.
The most interesting part came earlier this year — when, in May 2025, the Android team announced that Quick Share would be ported to the Automotive version of Android. We now have a wireless method for transferring files between a car and a phone or computer. Yep!
I expect more research papers and presentations to come from Quick Share in cars. Read the paper and think creatively! And please share this research with your colleagues and peers - it might just be someone's next big project.
More details:
QuickShell: Sharing is caring about an RCE attack chain on Quick Share [PDF]: https://i.blackhat.com/Asia-25/Asia-25-Yair-QuickShell-Sharing-is-Caring.pdf
New in-car app experiences [Blog]: https://android-developers.googleblog.com/2025/05/android-for-cars-google-io-2025.html
