Photo,Video Locker-Calculator – Leak of sensitive Files and Backdoor

February 12, 2021
Photo,Video Locker-Calculator – Leak of sensitive Files and Backdoor

On the Google Play Store the application “Photo,Video Locker-Calculator” promises to hide your videos and photos from unauthorized access. To quote the app description

“Your files will be secretly stored in vault and can only be viewed after a Numeric PIN is entered on calculator panel of this app.”

Unfortunately, this is not true because of a security vulnerability in the version 12.0. The problem is, that in the AndroidManifest.xml, where the permissions of the app are defined, android:allowBackup="true" is set. This means the data of the app can easily be recovered with the Android Debug Bridge (adb). The code below shows again where the problem is.


To backup the application and therefore the files stored within the app we can use adb with adb backup '-f smart.calculator.gallerylock'
This creates the file backup.ab which we can convert to a .tar archiv with the Android Backup Extractor.

  1. java -jar abe.jar unpack backup.ab backup.tar

The .tar archiv can be extracted and the sensitive files are located in the subfolders of /apps/smart.calculator.gallerylock/f/lockerVault/

This proves that the files hidden within the application are not securely stored and also not encrypted.

CVE-2017-16835 has been assigned to this vulnerability.

The backdoor

But even worse, the Application also has a backdoor. If you decompile the application and look in the file smart/calculator/gallerylock/ you can find the following function.

private void f(){
	String string = this.a.getText().toString();
	if (string.equals(this.X) || string.equals("17621762")) {

This is a classic backdoor. The pin “17621762” gives anyone access to the files stored in this application. The app itself has many other issues, which I didn’t mention here. But having a backdoor in an app is reason enough to get rid of it. As a result, the application and the company behind it can’t be trusted.

CVE-2017-18192 has been assigned to this vulnerability.

Update: Version 13. published on January 24, 2018 also has the above mentioned backdoor.
Update (02, February 2018): They made a version jump from 13 to 18 on 31, January 2018. Backdoor is still present.

Starten Sie Ihr Projekt mit DS-Security

Abonnieren Sie den DS-Security Newsletter, um die neuesten Updates zu erhalten!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.