Uhale Android-based digital image frames include a number of vital safety vulnerabilities and a few of them obtain and execute malware at boot time.
Cellular safety firm Quokka carried out an in-depth safety evaluation on the Uhale app and located habits suggesting a reference to the Mezmess and Voi1d malware households.
The researchers reported the problems to ZEASN (now ‘Whale TV’), the Chinese language agency behind the Uhale platform used within the digital image frames of quite a few completely different manufacturers, however acquired no reply to a number of notificaitions since Could.
Computerized malware supply
Beginning with essentially the most alarming findings, lots of the analyzed Uhale picture frames obtain malicious payloads from China-based servers at boot.
“Upon booting, many investigated frames examine for and replace to the Uhale app model 4.2.0,” Quokka researchers say within the report.
“The system then installs this new model and reboots. After the reboot, the up to date Uhale app initiates the obtain and execution of malware.”
The downloaded JAR/DEX file that’s saved beneath the Uhale app’s file listing is loaded and executed at each subsequent boot.
The units that Quokka examined had the SELinux safety module disabled, got here rooted by default, and lots of system parts had been signed with AOSP test-keys.
Supply: Quokka
The researchers discovered proof linking the downloaded payloads to the Vo1d botnet and Mzmess malware households, primarily based on bundle prefixes, string names, endpoints, supply workflow, and artifact places.
Nonetheless, it’s unclear how the units obtained contaminated.
Supply: Quokka
A number of safety gaps
Except for the malware supply, which didn’t happen on all Uhale-branded image frames, the researchers additionally found greater than a dozen vulnerabilities.
Among the many 17 safety points that Quokka discloses within the report, 11 of which have CVE-IDs assigned, beneath are essentially the most vital:
- CVE-2025-58392 / CVE-2025-58397 – An insecure TrustManager implementation permits man-in-the-middle injection of cast encrypted responses, resulting in distant code execution as root on affected units.
- CVE-2025-58388 – The app’s replace course of passes unsanitized filenames straight into shell instructions, enabling command injection and distant set up of arbitrary APKs.
- CVE-2025-58394 – All examined frames ship with SELinux disabled, are rooted by default, and use public AOSP test-keys, in order that they’re basically totally compromised out of the field.
- CVE-2025-58396 – The pre-installed app exposes a file server on TCP port 17802 that accepts unauthenticated uploads, permitting any native community host to put in writing or delete arbitrary information.
- CVE-2025-58390 – The app’s WebViews ignore SSL/TLS errors and allow blended content material, permitting attackers to inject or intercept information displayed on the system, enabling phishing or content material spoofing.
- Hardcoded AES key (DE252F9AC7624D723212E7E70972134D) used to decrypt sdkbin responses.
- A number of fashions embody Adups replace parts and outdated libraries, whereas the app additionally makes use of weak crypto patterns and hardcoded keys, creating supply-chain dangers.
Since most of those merchandise are marketed and offered beneath varied manufacturers with out mentioning the platform they use, it’s tough to estimate the precise variety of doubtlessly impacted customers.
The Uhale app has greater than 500,000 downloads on Google Play and 11,000 consumer opinions within the App Retailer. Uhale-branded picture frames on Amazon have almost a thousand consumer opinions.
BleepingComputer has independently contacted ZEASN with a request for remark, however we’ve got not acquired a response by publication time.
It is strongly recommended that customers solely purchase digital units from respected manufacturers that use official Android pictures with out firmware modifications, Google Play providers, and built-in malware protections.
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your crew construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
