> Experts have found that many of the digital frame models analyzed download malicious payloads from Chinese servers immediately after ignition. At startup, devices check for an update of the Uhale app, install the update to version 4.2.0 and restart. After restarting, the updated app starts downloading and running the malware. > > The downloaded JAR/DEX file is saved in the Uhale application directory and run at each subsequent system start. It is not yet clear why version 4.2.0 of the application became malicious (whether this was done intentionally by the developers themselves or whether the ZEASN upgrade infrastructure was compromised). > > The malware detected has been linked to the Vo1d botnet, which has millions of devices, as well as the Mzmess family of malware. This connection is confirmed by packet prefixes, string names, endpoints, malware distribution process, and a range of artifacts. > > In addition to the automatic download of the malware (which did not occur on all the frames analyzed), the researchers also discovered numerous vulnerabilities. In their report, Quokka's specialists detailed 17 problems, 11 of which have already received CVE identifiers.

The most serious are:

• CVE-2025-58392 and CVE-2025-58397 – An insecure implementation of TrustManager allows a MitM attack to inject counterfeit encrypted responses, eventually leading to remote code execution with root privileges;
• CVE-2025-58388 – During an application update, raw file names are passed directly to shell commands, allowing command injection and remote installation of arbitrary APKs;
• CVE-2025-58394 – All the camera frames tested were shipped with disabled SELinux, default root access and AOSP public test keys, which means they were completely compromised from the first moment;
• CVE-2025-58396 – A pre-installed application launches a file server on the TCP 17802 port, which accepts file uploads without authentication. As a result, any host on the local network gets the ability to write or delete arbitrary files on your device;
• CVE-2025-58390 – WebView in the app ignores SSL/TLS errors and allows mixed content, allowing attackers to inject or intercept data viewed on the device, opening the door to phishing and content spoofing.