Kyocera Android app with 1M installs can be abused to drop malware

A Kyocera Android printing app is vulnerable to improper intent handling, allowing other malicious applications to abuse the flaw to download and potentially install malware on devices.

According to a security notice by JVN (Japanese Vulnerability Notes), a state-supported portal dedicated to raising awareness on matters of security, the issue, the flaw is tracked as CVE-2023-25954 and impacts the following apps:

• KYOCERA Mobile Print v3.2.0.230119 and earlier (1 million downloads on Google Play)
• UTAX/TA Mobile Print v3.2.0.230119 and earlier (100k downloads on Google Play)
• Olivetti Mobile Print v3.2.0.230119 and earlier (10k downloads on Google Play)

Although the apps list different publishers, they are based on the same code; thus, the vulnerability impacts all three.

KYOCERA published a security bulletin on the issue yesterday, urging users of its printing app to upgrade to version 3.2.0.230227, currently available via Google Play.

"KYOCERA Mobile Print's application class allows data transmission from malicious third-party mobile applications, which could result in malicious files being downloaded," reads the vendor's notice.

"And, by using the KYOCERA Mobile Print web browser functionality, malicious sites can be accessed and malicious files can be downloaded and executed, which can lead to the acquisition of internal information on mobile devices."

For such an attack to occur, the user must also install a second malicious application on their device that will trigger the payload download.

Despite that requirement mitigating the severity of the flaw, it would be easy to distribute a malicious app that takes advantage of the issue, as it wouldn't have to include risky code, request the approval of risky permissions upon installation, etc.

Instead, it would just have to check for the presence of these vulnerable apps and abuse them to install malware.

Android 14 to lessen the risk

The upcoming Android 14 version is poised to handle intents more securely, mitigating the associated risks and making it harder to conceal the true nature of "under the hood" data exchanges.

Starting from Android 14, the exchange of intents between apps will be restricted, requiring the definition of specific recipients by the sender, the declaration of what information an app needs to receive from other apps, and whether or not receivers should be limited to system broadcasts.

This security enhancement would shield privileged apps like printing utilities from malicious intents sent by other applications running on the same device