CVE-2026-3667
Improper Authorization in Freedom Factory dGEN1 FakeAppService
Publication date: 2026-03-07
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| freedom_factory | dgen1 | to 20260221 (inc) |
| org.ethosmobile | ethoslauncher | to 20260221 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-266 | A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-3667 is a broken authorization vulnerability in the Android launcher application org.ethosmobile.ethoslauncher on the Freedom Factory dGEN1 phone. It specifically affects the exported service FakeAppService, which manages 'FakeApp' entriesβURL-based decentralized applications displayed on the launcher."}, {'type': 'paragraph', 'content': "The vulnerability arises because the service authorizes requests based solely on an untrusted caller-supplied string value (an intent extra named callingPackage) that claims to identify the calling app. The service does not validate the actual caller identity using Android's Binder.getCallingUid() or verify application signatures."}, {'type': 'paragraph', 'content': 'Since the service is exported and protected only by a non-restrictive permission, any local app can spoof the trusted package name by supplying the expected string and perform unauthorized operations such as adding, modifying, or deleting FakeApp entries.'}, {'type': 'paragraph', 'content': 'Because FakeApps appear identical to legitimate launcher icons, attackers can replace trusted decentralized applications with malicious URLs, enabling phishing, credential theft, wallet compromise, user deception, and denial of access to legitimate apps.'}] [1, 4]
How can this vulnerability impact me? :
This vulnerability allows any local malicious application on the affected device to perform unauthorized actions on the launcher by adding, removing, or modifying FakeApp entries.
- Attackers can replace legitimate decentralized applications with malicious URLs that look identical to trusted apps.
- This can lead to phishing attacks, credential harvesting, and compromise of cryptocurrency wallets.
- Users can be deceived into interacting with malicious apps, resulting in loss of sensitive information or denial of access to legitimate applications.
- The integrity, confidentiality, and availability of the affected system are impacted.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to interact with the FakeAppService on the affected device using adb shell commands that spoof the trusted calling package name. The service is exported and accessible locally without special permissions, allowing enumeration, addition, modification, or deletion of FakeApp entries.'}, {'type': 'paragraph', 'content': 'Example commands to test the vulnerability include using adb shell to start the FakeAppService with spoofed callingPackage values to add, remove, or replace FakeApp entries.'}, {'type': 'list_item', 'content': 'Add a malicious FakeApp entry: adb shell am startservice -n org.ethosmobile.ethoslauncher/.FakeAppService -a org.ethosmobile.ethoslauncher.ADD_FAKE_APP_SERVICE --es callingPackage org.ethereumphone.dappstoreapp --es title "Wallet" --es url "https://kurolytes.co"'}, {'type': 'list_item', 'content': 'Remove a legitimate FakeApp entry (e.g., OpenSea): adb shell am startservice -n org.ethosmobile.ethoslauncher/.FakeAppService -a org.ethosmobile.ethoslauncher.REMOVE_FAKE_APP_SERVICE --es callingPackage org.ethereumphone.dappstoreapp --es title "OpenSea" --es url "https://opensea.io"'}, {'type': 'list_item', 'content': 'Add a FakeApp entry to replace a legitimate one: adb shell am startservice -n org.ethosmobile.ethoslauncher/.FakeAppService -a org.ethosmobile.ethoslauncher.ADD_FAKE_APP_SERVICE --es callingPackage org.ethereumphone.dappstoreapp --es title "OpenSea" --es url "https://kurolytes.co"'}] [1, 4]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include restricting access to the FakeAppService and improving authorization checks to prevent unauthorized local applications from exploiting the vulnerability.'}, {'type': 'list_item', 'content': 'Do not rely on caller-supplied intent extras (such as callingPackage) for authorization.'}, {'type': 'list_item', 'content': "Validate the caller's identity using Android's Binder.getCallingUid() and verify the package with the package manager."}, {'type': 'list_item', 'content': 'Enforce signature-level custom permissions on the FakeAppService to restrict access.'}, {'type': 'list_item', 'content': 'If external access is not necessary, mark the FakeAppService as android:exported="false" to prevent other apps from accessing it.'}, {'type': 'list_item', 'content': 'Restrict FakeApp management APIs to internal components only.'}] [4]