CVE-2026-3667
Received Received - Intake
Improper Authorization in Freedom Factory dGEN1 FakeAppService

Publication date: 2026-03-07

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Freedom Factory dGEN1 up to 20260221. The impacted element is the function FakeAppService of the component org.ethosmobile.ethoslauncher. The manipulation results in improper authorization. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-07
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-03-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-3667
EUVD
EUVD-2026-10174
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
freedom_factory dgen1 to 20260221 (inc)
org.ethosmobile ethoslauncher to 20260221 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-3667 is a broken authorization vulnerability in the Android launcher application org.ethosmobile.ethoslauncher on the Freedom Factory dGEN1 phone. It specifically affects the exported service FakeAppService, which manages 'FakeApp' entriesβ€”URL-based decentralized applications displayed on the launcher."}, {'type': 'paragraph', 'content': "The vulnerability arises because the service authorizes requests based solely on an untrusted caller-supplied string value (an intent extra named callingPackage) that claims to identify the calling app. The service does not validate the actual caller identity using Android's Binder.getCallingUid() or verify application signatures."}, {'type': 'paragraph', 'content': 'Since the service is exported and protected only by a non-restrictive permission, any local app can spoof the trusted package name by supplying the expected string and perform unauthorized operations such as adding, modifying, or deleting FakeApp entries.'}, {'type': 'paragraph', 'content': 'Because FakeApps appear identical to legitimate launcher icons, attackers can replace trusted decentralized applications with malicious URLs, enabling phishing, credential theft, wallet compromise, user deception, and denial of access to legitimate apps.'}] [1, 4]

Impact Analysis

This vulnerability allows any local malicious application on the affected device to perform unauthorized actions on the launcher by adding, removing, or modifying FakeApp entries.

  • Attackers can replace legitimate decentralized applications with malicious URLs that look identical to trusted apps.
  • This can lead to phishing attacks, credential harvesting, and compromise of cryptocurrency wallets.
  • Users can be deceived into interacting with malicious apps, resulting in loss of sensitive information or denial of access to legitimate applications.
  • The integrity, confidentiality, and availability of the affected system are impacted.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to interact with the FakeAppService on the affected device using adb shell commands that spoof the trusted calling package name. The service is exported and accessible locally without special permissions, allowing enumeration, addition, modification, or deletion of FakeApp entries.'}, {'type': 'paragraph', 'content': 'Example commands to test the vulnerability include using adb shell to start the FakeAppService with spoofed callingPackage values to add, remove, or replace FakeApp entries.'}, {'type': 'list_item', 'content': 'Add a malicious FakeApp entry: adb shell am startservice -n org.ethosmobile.ethoslauncher/.FakeAppService -a org.ethosmobile.ethoslauncher.ADD_FAKE_APP_SERVICE --es callingPackage org.ethereumphone.dappstoreapp --es title "Wallet" --es url "https://kurolytes.co"'}, {'type': 'list_item', 'content': 'Remove a legitimate FakeApp entry (e.g., OpenSea): adb shell am startservice -n org.ethosmobile.ethoslauncher/.FakeAppService -a org.ethosmobile.ethoslauncher.REMOVE_FAKE_APP_SERVICE --es callingPackage org.ethereumphone.dappstoreapp --es title "OpenSea" --es url "https://opensea.io"'}, {'type': 'list_item', 'content': 'Add a FakeApp entry to replace a legitimate one: adb shell am startservice -n org.ethosmobile.ethoslauncher/.FakeAppService -a org.ethosmobile.ethoslauncher.ADD_FAKE_APP_SERVICE --es callingPackage org.ethereumphone.dappstoreapp --es title "OpenSea" --es url "https://kurolytes.co"'}] [1, 4]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the FakeAppService and improving authorization checks to prevent unauthorized local applications from exploiting the vulnerability.'}, {'type': 'list_item', 'content': 'Do not rely on caller-supplied intent extras (such as callingPackage) for authorization.'}, {'type': 'list_item', 'content': "Validate the caller's identity using Android's Binder.getCallingUid() and verify the package with the package manager."}, {'type': 'list_item', 'content': 'Enforce signature-level custom permissions on the FakeAppService to restrict access.'}, {'type': 'list_item', 'content': 'If external access is not necessary, mark the FakeAppService as android:exported="false" to prevent other apps from accessing it.'}, {'type': 'list_item', 'content': 'Restrict FakeApp management APIs to internal components only.'}] [4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3667. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart