Freedom Factory dGEN1 Improper Authorization Vulnerability in ethOS Launcher

A broken authorization vulnerability has been identified in the Freedom Factory dGEN1 phone, specifically in the Android launcher application 'org.ethosmobile.ethoslauncher'. This vulnerability arises from an exported BroadcastReceiver called 'FakeAppReceiver', which improperly relies on unvalidated intent extras to authenticate requests from trusted applications. As a result, any local application can spoof the identity of a trusted caller and manipulate launcher entries. Exploitation of this vulnerability allows unauthorized applications to add, remove, or replace 'FakeApp' entries, potentially leading to phishing and user deception.

Impact

Exploitation of this vulnerability allows a local application to add, remove, or replace 'FakeApp' entries in the launcher. This could be used to impersonate trusted decentralized applications, causing user deception, phishing, credential harvesting, or denial of access to legitimate applications.

Reproduction

The vulnerability can be reproduced by sending a broadcast intent to 'org.ethosmobile.ethoslauncher.FakeAppReceiver' without any special permissions. The intent must include the 'calling_package' extra spoofing the trusted package identity, along with 'title' and 'url' extras. This can be done using the Android Debug Bridge (adb) command.