Kyocera’s Android app, with over a million installs, is vulnerable to intent mishandling. Other malicious applications can exploit this bug to download and install malware on users’ devices.
According to the Japanese government portal Japanese Vulnerability Notes (JVN), this issue is being tracked as CVE-2023-25954 and affects the following applications: KYOCERA Mobile Print version 3.2.0.230119 and earlier (1 million installs on Google Play); UTAX/TA Mobile Print version 3.2.0.230119 and earlier (100,000 installs on Google Play); Olivetti Mobile Print version 3.2.0.230119 and earlier (10,000 installs on Google Play).
Although the applications listed are from different publishers, they share the same codebase, which is why the vulnerability affects all of them.
KYOCERA developers have already published their own security bulletin, urging app users to update to version 3.2.0.230227 as soon as possible, which is available on Google Play.
“KYOCERA Mobile Print class applications allow the transmission of data from malicious third-party mobile applications, which can lead to the download of malicious files,” the company said. “With the KYOCERA Mobile Print browser, users can access malicious websites and download and run malicious files, potentially leading to the disclosure of internal information of mobile devices.”
It is noted that in order for such an attack to be successful, the user must install a malicious application on their device that will trigger the download of the payload. While this slightly reduces the severity of the discovered vulnerability, such a malicious application could be distributed easily, since it does not contain any malicious code and does not require suspicious permissions during installation.