Did they give you a digital photo frame? It’s more than just family memories.

Redazione RHC : 15 November 2025 12:38

Researchers have discovered several critical vulnerabilities in Uhale digital picture frames running Android , with some models even downloading and executing malware during startup. They examined the Uhale app and discovered activity associated with two malware families: Mezmess and Vo1d.

As early as May 2025, researchers attempted to report the issues they encountered to the Chinese company ZEASN (now renamed Whale TV), which is responsible for the Uhale platform used in digital photo frames from many brands. However, the specialists never received a response from the developers.

Experts found that many of the analyzed digital picture frame models download malicious payloads from Chinese servers immediately after being turned on. Upon startup, the devices check for an update to the Uhale app, install the update to version 4.2.0, and reboot. After the reboot, the updated app begins downloading and running the malware.

The downloaded JAR/DEX file is saved to the Uhale application directory and executed on each subsequent system startup. It is not yet clear why version 4.2.0 of the application became malicious (whether this was done intentionally by the developers themselves or whether the ZEASN update infrastructure was compromised).

The detected malware has been linked to the Vo1d botnet , which comprises millions of devices, as well as the Mzmess malware family. This connection is confirmed by packet prefixes, string names, endpoints, the malware distribution process, and a number of artifacts.

In addition to the automatic download of malware (which did not occur on all frames analyzed), researchers also discovered numerous vulnerabilities. In their report, Quokka specialists detailed 17 issues, 11 of which have already been assigned CVE identifiers. The most serious are:

• CVE-2025-58392 and CVE-2025-58397 – An insecure implementation of TrustManager allows a MitM attack to inject forged encrypted responses, ultimately leading to remote code execution with root privileges;
• CVE-2025-58388 – During an application update, raw file names are passed directly to shell commands, allowing command injection and remote installation of arbitrary APKs;
• CVE-2025-58394 – All tested photo frames were shipped with SELinux disabled, default root access, and AOSP public test keys, meaning they were fully compromised out of the box;
• CVE-2025-58396 – A preinstalled application launches a file server on TCP port 17802 that accepts unauthenticated file uploads. This allows any host on the local network to write or delete arbitrary files on the device.
• CVE-2025-58390 – WebView in the app ignores SSL/TLS errors and allows mixed content, allowing attackers to inject or intercept data displayed on the device, opening the door to phishing and content spoofing.

Researchers also found a hardcoded AES key to decrypt sdkbin responses. Additionally, several photo frame models contained Adups update components and outdated libraries , and the app used weak cryptographic schemes and hardcoded keys.

However, it’s difficult to estimate the exact number of victims: most vulnerable photo frames are sold under different brands and without mentioning the Uhale platform. Therefore, researchers cite differing statistics: the Uhale app has been downloaded over 500,000 times on Google Play and has over 11,000 reviews on the App Store. Additionally, Uhale photo frames sold on Amazon have approximately 1,000 reviews .

In conclusion, experts recommend purchasing gadgets only from trusted manufacturers that use official Android images without firmware modifications, support Google services, and have built-in anti-malware protection.

Redazione
The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.

Lista degli articoli