Uhale Digital Photo Frames Ship with Root Access and Download Hidden Malware
A serious issue has been uncovered in the digital photo-frame market: Android-based devices sold under the Uhale brand are downloading malicious components during system startup and contain a series of critical vulnerabilities that allow attackers to take full control of the device. These conclusions were reached by Quokka researchers after analysing the behaviour of the Uhale app and the underlying platform developed by the Chinese company Whale TV. Their attempts to notify the developer since May of this year have gone unanswered.
The investigation revealed that some frames, immediately upon being powered on, connect to remote servers located in China, download version 4.2.0 of the application and automatically launch the updated build. After rebooting, the embedded client initiates the download and execution of a JAR or DEX file, stores it in an internal directory and continues to load it at every subsequent startup. The researchers observed notable similarities with the Mezmess and Vo1d malware families — from package prefixes and strings to delivery methods and the placement of system artefacts. The exact infection vector, however, remains unclear.
The devices’ system-level configuration introduces additional danger: all examined frames run with SELinux disabled, ship with root access already enabled and are signed with public AOSP test keys. This combination leaves them vulnerable straight out of the box and creates conditions for the unrestricted execution of any operation.
Seventeen vulnerabilities were identified in the software, eleven of which have been assigned CVE identifiers. Among them are several particularly severe flaws.
CVE-2025-58392 and its related CVE-2025-58397 stem from an insecure TrustManager implementation that enables an attacker to spoof protected responses and execute arbitrary commands with superuser privileges.
CVE-2025-58388 was found in the update mechanism, where unsanitised filenames are passed directly into shell commands, allowing silent installation of arbitrary APKs.
CVE-2025-58394 highlights that all examined models ship without active SELinux, include root access by default and rely on publicly available test keys.
CVE-2025-58396 shows that the preinstalled client opens a file server on TCP port 17802 that accepts any uploads without permission checks, enabling any device on the local network to overwrite or delete files.
In CVE-2025-58390, SSL/TLS handling errors in WebView ignore certificates and mixed content, making it possible to alter displayed information and perform local phishing attacks.
The researchers also discovered a hardcoded AES key used to decrypt sdkbin network responses and found outdated libraries and Adups components in several models.
Taken together, these issues leave the software stack devoid of meaningful protection and introduce significant supply-chain risks. The number of affected users is difficult to estimate: the frames are sold under various brand names, and details about the underlying platform are not disclosed. The Uhale app has over half a million downloads on Google Play, and more than 11,000 reviews on the App Store. Across online marketplaces, reviews of devices running the same platform also approach a thousand.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
