Photo,Video Locker-Calculator – Leak of sensitive Files and Backdoor

Advice
February 12, 2021
Photo,Video Locker-Calculator – Leak of sensitive Files and Backdoor

On the Google Play Store the application “Photo,Video Locker-Calculator” promises to hide your videos and photos from unauthorized access. To quote the app description

“Your files will be secretly stored in vault and can only be viewed after a Numeric PIN is entered on calculator panel of this app.”

Unfortunately, this is not true because of a security vulnerability in the version 12.0. The problem is, that in the AndroidManifest.xml, where the permissions of the app are defined, android:allowBackup="true" is set. This means the data of the app can easily be recovered with the Android Debug Bridge (adb). The code below shows again where the problem is.


<application[...]
	android:name="smart.calculator.gallerylock.MyApplication"
  android:manageSpaceActivity="smart.calculator.gallerylock.CalculatorActivity"
  android:allowBackup="true"
  android:largeHeap="true"
>

To backup the application and therefore the files stored within the app we can use adb with adb backup '-f smart.calculator.gallerylock'
This creates the file backup.ab which we can convert to a .tar archiv with the Android Backup Extractor.

  1. java -jar abe.jar unpack backup.ab backup.tar

The .tar archiv can be extracted and the sensitive files are located in the subfolders of /apps/smart.calculator.gallerylock/f/lockerVault/

This proves that the files hidden within the application are not securely stored and also not encrypted.

CVE-2017-16835 has been assigned to this vulnerability.

The backdoor

But even worse, the Application also has a backdoor. If you decompile the application and look in the file smart/calculator/gallerylock/CalculatorActivity.java you can find the following function.


private void f(){
	String string = this.a.getText().toString();
	if (string.equals(this.X) || string.equals("17621762")) {
  	this.e();
  }
}

This is a classic backdoor. The pin “17621762” gives anyone access to the files stored in this application. The app itself has many other issues, which I didn’t mention here. But having a backdoor in an app is reason enough to get rid of it. As a result, the application and the company behind it can’t be trusted.

CVE-2017-18192 has been assigned to this vulnerability.

Update: Version 13. published on January 24, 2018 also has the above mentioned backdoor.
Update (02, February 2018): They made a version jump from 13 to 18 on 31, January 2018. Backdoor is still present.

Starten Sie Ihr Projekt mit DS-Security

Abonnieren Sie den DS-Security Newsletter, um die neuesten Updates zu erhalten!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Quick Links
ImpressumKontaktBlog