Full Report
Uhale Android-based digital picture frames come with multiple critical security vulnerabilities and some of them download and execute malware at boot time. [...]
Analysis Summary
# Incident Report: Ubiquitous Malware on Uhale Digital Picture Frames
## Executive Summary
Multiple critical security vulnerabilities, including a pre-installed malware delivery mechanism, were discovered in Uhale Android-based digital picture frames by security researchers. Affected devices automatically download and execute malware (linked to Vo1d and Mzmess botnets) upon updating the Uhale app and subsequent reboot. The impact is severe, as devices ship with SELinux disabled and are rooted by default, making them fully compromised out of the box. The vendor (ZEASN/Whale TV) has been unresponsive to notifications since May.
## Incident Details
- Discovery Date: Prior to November 13, 2025 (Research findings published this date)
- Incident Date: Ongoing, occurring at boot time on updated devices starting potentially before May 2025 (when researchers first notified vendor).
- Affected Organization: ZEASN (Whale TV), the platform provider for numerous third-party digital picture frame brands utilizing the Uhale app.
- Sector: Consumer Electronics / IoT
- Geography: Implicated servers are China-based; affected devices are globally distributed (Google Play/App Store/Amazon listings).
## Timeline of Events
### Initial Access
- Date/Time: Upon device boot combined with the Uhale app update to version 4.2.0.
- Vector: Supply chain/Pre-installed vulnerabilities combined with automatic software update process.
- Details: Devices check for and update to the Uhale app version 4.2.0, reboot, and subsequently initiate the download and execution of malware (JAR/DEX file) into the app’s directory, executing on every subsequent boot.
### Lateral Movement
- Analysis suggests the downloaded payload is linked to the Vo1d botnet and Mzmess malware. Specific lateral movement techniques within an enterprise network context are not detailed, likely targeting local network exposure or persistence on the device itself.
### Data Exfiltration/Impact
- Impact centers around device compromise (rooted status) and execution of malware potentially linked to botnets (Vo1d). Specific data exfiltrated is not detailed, but RCE as root and unauthenticated file server exposure pose severe risks.
### Detection & Response
- Detection: Conducted by security firm Quokka during an in-depth security assessment of the Uhale app.
- Response actions taken: Researchers notified ZEASN (Whale TV) starting in May 2025 but received no reply. Researchers published findings publicly in November 2025.
## Attack Methodology
- Initial Access: Supply chain compromise (malware delivery during app update workflow) enabled by severe pre-existing configuration vulnerabilities.
- Persistence: Malicious JAR/DEX file is loaded and executed at *every* subsequent boot.
- Privilege Escalation: Devices shipped **rooted by default**, granting maximum privileges immediately.
- Defense Evasion: SELinux security module was **disabled** on examined frames.
- Credential Access: Not explicitly detailed, but RCE as root makes credential theft trivial.
- Discovery: Not explicitly detailed for the attacker post-compromise.
- Lateral Movement: Not explicitly detailed beyond the established malicious persistence.
- Collection: Not explicitly detailed.
- Exfiltration: Not explicitly detailed.
- Impact: Remote Code Execution (RCE) as root possible via TrustManager flaw, unauthenticated arbitrary file upload via exposed port 17802, and general device control due to rooted status.
## Impact Assessment
- Financial: Estimated costs for remediation and recall/replacement are not available.
- Data Breach: Data type is unknown, but the ability to execute code as root implies full device compromise and potential access to any locally stored data or network communication.
- Operational: If this affects thousands of consumer devices, it represents a massive user security and privacy exposure across multiple brands using the platform.
- Reputational: Significant negative impact for ZEASN/Whale TV and all reseller brands.
## Indicators of Compromise
- Network Indicators: China-based servers used for payload download (Server details defanged/omitted).
- File Indicators: Malicious JAR/DEX file saved under the Uhale app's file directory. Package prefixes and string names consistent with Vo1d and Mzmess malware.
- Behavioral Indicators: Uhale app version updating to 4.2.0, device rebooting post-update, and subsequent payload execution on boot.
## Response Actions
- Containment measures: No active containment measures by the vendor reported. Researchers recommended consumers cease immediate use.
- Eradication steps: Not applicable as the vendor has not responded. Users would need to factory reset or replace the device.
- Recovery actions: Not applicable.
## Lessons Learned
- **Severe Supply Chain Risk:** Relying on platforms (like Uhale) that ship devices with foundational security controls disabled (SELinux disabled, rooted default) creates an immediate, critical risk.
- **Vendor Negligence:** Failure of ZEASN to respond to reported critical vulnerabilities since May 2025 highlights significant risk in vendor security accountability.
- **Insecure Defaults:** Shipping hardware with test-keys and root access exposes devices to immediate exploitation regardless of application-level vulnerabilities.
## Recommendations
- Consumers should immediately discontinue use of unrecognized or unverified Android-based IoT devices, especially those requiring third-party applications for core functionality.
- Developers and platform providers (ZEASN) must immediately patch the 17 disclosed vulnerabilities, prioritizing the RCE flaws (CVE-2025-58392/58397) and insecure update mechanisms (CVE-2025-58388).
- All devices must be shipped with SELinux enabled (Enforcing mode) and should not be shipped rooted or utilizing AOSP test-keys.