Digital photo frames have become a standard household device for displaying family memories, and most users assume these simple gadgets prioritize simplicity over complexity.
However, a troubling discovery reveals that specific Android photo frames running the Uhale app automatically download and execute malware as soon as they boot.
Quokka security analysts noted or identified this critical issue after examining popular digital picture frame models sold on major retail platforms.
These frames, often marketed under brands like BIGASUO, WONNIE, and MaxAngel, share a common vulnerability that puts millions of users at risk.
The affected devices are vulnerable to automatic malware installation without user interaction.
Security analysts at Quokka detected that the security concern extends far beyond simple data theft. These vulnerabilities create complete pathways for attackers to gain full control of the device with minimal effort.
The malware discovered during the analysis is associated with the Vo1d botnet and the Mzmess malware family, which have already infected an estimated 1.6 million Android TV devices worldwide.
.webp "Android Photo Frames App Downloads Malware, Giving Hackers Control of The Device Without User Interaction 3")
When connected to a home or office network, a compromised frame can serve as an entry point for lateral attacks on other devices, potentially leading to widespread network compromise and data exposure.
The root of the problem lies in how the Uhale application handles security at the software level. Rather than implementing modern security standards, the developers relied on outdated Android 6.0 with disabled security features and hardcoded encryption keys embedded directly in the app code.
This combination creates multiple vulnerability pathways that skilled attackers can exploit through simple network interception techniques.
The implications are severe because these frames typically remain continuously connected to networks, providing attackers with persistent access opportunities.
Remote Code Execution Through Insecure Trust Management
The primary exploitation vector involves a weakness in how the Uhale app validates security certificates during network communications.
.webp "Android Photo Frames App Downloads Malware, Giving Hackers Control of The Device Without User Interaction 4")
When a frame boots up and checks for app updates, it communicates with servers at dcsdkos.dc16888888.com over HTTPS.
However, the app implements a custom security validator that accepts any certificate without proper verification.
This oversight allows attackers positioned on the same network to intercept these connections and inject malicious code.
The insecure trust manager is implemented in the com.nasa.memory.tool.lf class. Instead of validating that communication partners are legitimate, the checkServerTrusted method simply returns empty values without verifying them.
When combined with a hardcoded encryption key DE252F9AC7624D723212E7E70972134D stored in the app, attackers can craft responses that the device will accept and decrypt.
The response contains a download link to a Dalvik Executable file, which the app then loads and executes using Java reflection techniques.
The execution occurs via the DexClassLoader, which dynamically loads code from external sources.
The app creates an instance of this class loader pointing to downloaded JAR files stored in the datadatacom.zeasn.framefiles.honor directory.
It then searches for a predefined entry-point method called com.sun.galaxy.lib.OceanInit.init is invoked automatically.
Since the Uhale app operates with system-level privileges and the devices have SELinux disabled and su commands available, the injected code immediately runs with unrestricted root access.
This allows attackers to execute arbitrary shell commands, install persistent malware, modify system files, or harvest sensitive data from other applications.
The malware samples identified included multiple APK packages classified by Quokka’s behavioral analysis engine as spyware with 100 percent confidence.
These included com.app.mz.s101, com.app.mz.popan, and several others specifically designed for surveillance and system control purposes.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
