Executive Summary

This vulnerability exists in Rakuten Send Anywhere (File Transfer) for Android version 23.2.9. It allows untrusted applications, even those without any permissions, to force the app to download arbitrary files into its scoped storage.

These downloaded files then appear in the application's trusted Received interface, making them seem legitimate to the user.

An attacker can exploit this by sending a malicious local app an explicit VIEW intent targeting the exported activity com.estmob.paprika4.activity.ViewActivity, specifying any arbitrary http or https URL. The app automatically downloads the file, including potentially harmful APK files.

This creates a vector for arbitrary code execution if the payload is an APK file, or can cause a denial-of-service condition through resource exhaustion from oversized file transfers.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can impact you by allowing attackers to place malicious files into the trusted interface of the app, potentially tricking you into installing harmful APK files.

This can lead to arbitrary code execution on your device, compromising its security.

Additionally, attackers can cause a denial-of-service condition by forcing the app to download very large files, exhausting device storage resources.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for unexpected or unauthorized use of the exported activity com.estmob.paprika4.activity.ViewActivity in the Rakuten Send Anywhere app. Specifically, look for explicit VIEW intents targeting this activity with arbitrary http or https URLs that trigger automatic file downloads into the app's scoped storage.

On an Android device, you can use the following commands to detect suspicious activity related to this vulnerability:

• Use adb logcat to monitor for intents sent to com.estmob.paprika4.activity.ViewActivity: adb logcat | grep com.estmob.paprika4.activity.ViewActivity
• Check for recently downloaded files in the app's scoped storage directory, typically under /data/data/com.estmob.android.sendanywhere/files or similar.
• Use adb shell commands to list files in the app's Received interface directory: adb shell ls -l /data/data/com.estmob.android.sendanywhere/files/Received

Monitoring network traffic for unusual HTTP or HTTPS requests initiated by the app to download files without user interaction may also help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the exported activity com.estmob.paprika4.activity.ViewActivity to prevent untrusted applications from sending explicit VIEW intents that trigger arbitrary file downloads.

Additional steps are:

• Update the Rakuten Send Anywhere app to a version where this vulnerability is patched, if available.
• If an update is not available, consider uninstalling or disabling the app until a fix is released.
• Limit installation of untrusted or unknown applications that could exploit this vulnerability.
• Monitor device storage for unexpected large files that could indicate exploitation attempts causing resource exhaustion.

Useful 0 Not Useful 0