Description
SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
Published: 2026-05-27
Score: n/a
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local attacker with physical access to a device can bypass the fingerprint or PIN authentication enforced by the SpSoft AppLock (com.sp.protector.free) application. The app uses a custom overlay that is not consistently enforcing the biometric or PIN challenge, allowing an attacker to navigate through insecure interface flows and exit the lock screen without completing authentication. This grants the attacker access to apps that the lock is intended to protect, such as the Chrome browser, resulting in the disclosure of user data and the ability to gain elevated privileges on the device.

Affected Systems

SpSoft AppLock version 7.9.40 running on Android devices. No other product versions or vendors are listed in the CVE record.

Risk and Exploitability

The exploit requires physical access to the device; the attacker manipulates exposed routes and advertisement or browser intents to reach the application and bypass the lock overlay. There is no available EPSS score and the vulnerability is not listed in CISA KEV, but the lack of consistent authentication enforcement presents a high risk for local attackers. The determined CVSS score is not specified, yet the impact level is substantial due to the combination of authentication bypass and privilege escalation.

Generated by OpenCVE AI on May 27, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available update to SpSoft AppLock that restores consistent authentication enforcement
  • If an update is not currently available, disable or remove the SpSoft AppLock application from the device
  • Restrict or monitor advertisement and browser intents that can launch the app by configuring device security settings or using a mobile device management solution

Generated by OpenCVE AI on May 27, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in SpSoft AppLock via Inconsistent Overlay and Intent Navigation
Weaknesses CWE-284

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T15:53:31.978Z

Reserved: 2025-12-24T00:00:00.000Z

Link: CVE-2025-68712

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:29.063

Modified: 2026-05-27T20:04:31.980

Link: CVE-2025-68712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T21:00:14Z

Weaknesses