Millions of users are at risk due to newly discovered security flaws in popular Android photo frames. These smart devices, often marketed under brands like BIGASUO, WONNIE, and MaxAngel, automatically download and execute malware upon booting, thanks to a vulnerability within the Uhale application. This discovery, made by Quokka security analysts, allows hackers to gain complete control of the device without any user interaction, raising significant privacy and security concerns.
The affected digital picture frames are designed to be simple, yet their underlying software has been found to be critically insecure. Quokka’s examination revealed that the Uhale app, a common component in these frames, fails to adhere to basic security protocols. This oversight enables attackers to exploit network vulnerabilities and install malicious software capable of widespread damage, including data theft and complete device compromise. The malware identified is linked to the Vo1d botnet and the Mzmess malware family, which have already impacted an estimated 1.6 million Android TV devices globally.
These compromised frames, once connected to a home or office network, can act as a gateway for lateral attacks. Hackers can leverage this access to target other connected devices, potentially leading to broader network breaches and the exposure of sensitive data across multiple systems. The persistent nature of these devices being always connected amplifies the threat, providing attackers with continuous opportunities to exploit the vulnerabilities.
Remote Code Execution Through Insecure Trust Management in Android Photo Frames
The primary method of exploitation centers on a critical weakness in the Uhale app’s handling of network security certificates. When a photo frame boots up and attempts to check for app updates, it initiates communication with servers at dcsdkos.dc16888888.com using HTTPS. However, the app employs a custom security validator that fails to properly verify security certificates, accepting virtually any certificate presented. This allows attackers on the same network to intercept these communications and inject malicious code undetected.
Quokka analysts identified this insecure trust management within the com.nasa.memory.tool.lf class. The checkServerTrusted method within this class returns empty values without performing any verification, effectively bypassing authentication. This vulnerability, combined with a hardcoded encryption key (DE25252F9AC7624D723212E7E70972134D) embedded directly in the app’s code, allows attackers to craft fraudulent responses. The device then accepts and decrypts these responses, which contain a link to a malicious Dalvik Executable (APK) file.
The Uhale app then proceeds to load and execute this malicious code using Java reflection techniques. Specifically, the DexClassLoader is employed to dynamically load code from external sources. The app sets up an instance of this class loader to point to downloaded JAR files stored within the datadatacom.zeasn.framefiles.honor directory. It then automatically invokes a predefined entry-point method, com.sun.galaxy.lib.OceanInit.init.
Because the Uhale app operates with system-level privileges, and the affected devices often have SELinux disabled and su commands available, the injected code gains immediate and unrestricted root access. This level of access grants attackers the ability to execute arbitrary shell commands, install persistent malware, tamper with system files, or exfiltrate sensitive data from other applications running on the device. The reported malware samples, including com.app.mz.s101 and com.app.mz.popan, were classified by Quokka’s analysis engine as spyware with a 100% confidence rate, indicating their specific design for surveillance and system control.
The security researchers have highlighted that the Uhale app relies on outdated Android 6.0 features with disabled security functionalities. This, coupled with the other vulnerabilities, creates a dangerous environment for users who assume their digital frames are simple, secure display devices. The ongoing presence of these vulnerabilities means that any newly purchased or currently operating Uhale-powered photo frames remain susceptible to attack.
Moving forward, users of potentially affected malware-infected devices are advised to disconnect them from their networks until a definitive patch or update is released by the manufacturers. The discovery underscores the critical need for robust security practices in the development of IoT devices, even those that appear to be low-risk. Cybersecurity experts will be monitoring for any official responses or updates from the manufacturers of these digital photo frames and the developers of the Uhale application.