Freedom Factory dGEN1 Improper Authorization Vulnerability in Ethos Launcher FakeAppService
Vulnerability
A broken authorization vulnerability has been identified in the Freedom Factory dGEN1 phone, specifically in the Android launcher application 'org.ethosmobile.ethoslauncher', prior to version 20260221. The vulnerability arises in an exported service called 'FakeAppService', which improperly validates the identity of calling applications. Instead of using secure methods to verify the caller's UID or application signature, the service relies on untrusted data from intent extras. This flaw allows any local application to impersonate a trusted source and manipulate launcher entries known as 'FakeApps'. Exploitation of this vulnerability could lead to phishing attacks and user deception.
Impact
Exploitation of this vulnerability allows a malicious local application to add, remove, or replace 'FakeApp' entries on the device's launcher. 'FakeApps' are indistinguishable from legitimate entries, making it easy to deceive users. This could result in phishing, credential theft, wallet compromise, and denial of access to legitimate decentralized applications.
Reproduction
The vulnerability can be reproduced by sending a request to the 'FakeAppService' while spoofing the 'callingPackage' intent extra to mimic a trusted application. This can be done using Android's 'adb' tool to start the service with the appropriate intent extras. Once the service is invoked with the spoofed package name, it will process the request as if it came from a legitimate source, allowing unauthorized modifications to the 'FakeApp' entries.
Remediation
To address this vulnerability, developers should avoid using caller-supplied values for authorization checks. Instead, validate the calling application using 'Binder.getCallingUid()' and package manager verification. Additionally, enforce a signature-level custom permission on the service and mark it as 'android:exported="false"' if external access is not needed. It's also recommended to restrict 'FakeApp' management APIs to internal components only.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.