Security investigators have revealed critical vulnerabilities in Android-powered digital photo frames, primarily involving the Uhale app. Affected devices enable full remote control, posing significant privacy and security risks.
Vulnerabilities Discovered
The Uhale app, often preinstalled in version 4.2.0, automatically downloads and executes APK and JAR payloads upon device startup. This flaw permits remote control without user intervention. Additionally, these payloads are hosted on Chinese infrastructure, such as dc16888888.com. The app suffers insecure HTTPS management, lacks SSL/TLS validation, and uses unsafe system privileges. Most concerning, devices ship with SELinux disabled, running outdated Android 6 firmware.
Potential Risks and Affected Brands
These vulnerabilities create opportunities for man-in-the-middle attacks, DNS poisoning, and unwanted updates over public Wi-Fi. The malware can exfiltrate user data, access device photos, conduct surveillance, suffer from botnet recruitment, and enable lateral network movement.
- Payloads share code with Vo1dbotnet and Mzmess.
- Affected brands include BIGASUO, Euphro, and Shenzhen Yunmai Technology Co. LTD.
- Tens of thousands of devices may be impacted due to wide distribution.
Recommended Actions
Users should disconnect frames from networks and monitor for unusual behavior. Security updates or product recalls are advised. This incident underscores the ongoing risks of poorly maintained Android IoT devices.
