Description
SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
Published: 2026-05-27
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A local attacker with physical access to an Android device can bypass the fingerprint or PIN authentication enforced by SpSoft AppLock (com.sp.protector.free). The application uses a custom overlay that inconsistently enforces the biometric or PIN challenge; by exploiting exposed navigation routes and advertising or browser intents, the attacker can exit the lock interface without completing authentication. This grants access to protected applications such as the Chrome browser, resulting in information disclosure and elevated privileges on the device.

Affected Systems

SpSoft AppLock version 7.9.40 running on Android devices. No other vendors or product versions are listed in this CVE record.

Risk and Exploitability

The exploit requires physical access and hinges on the application's poorly enforced overlay and exposed intent routes. The EPSS score is reported as below 1%, indicating a very low likelihood of exploitation. The CVSS score of 5.5 reflects medium severity, capturing the potential for privilege escalation and data exposure, though the exploitation probability remains limited. The vulnerability is not listed in CISA KEV.

Generated by OpenCVE AI on May 28, 2026 at 19:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest available update for SpSoft AppLock that resolves the inconsistent overlay authentication
  • If no update is available, consider uninstalling or disabling the SpSoft AppLock application to eliminate the attack surface
  • Configure device security or mobile device management to restrict or monitor advertisement and browser intents that can launch the app

Generated by OpenCVE AI on May 28, 2026 at 19:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Actuator
Actuator com.sp.protector.free
Vendors & Products Actuator
Actuator com.sp.protector.free

Thu, 28 May 2026 18:00:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in SpSoft AppLock via Inconsistent Overlay and Intent Navigation
Weaknesses CWE-284

Thu, 28 May 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-285
CWE-287
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Authentication Bypass in SpSoft AppLock via Inconsistent Overlay and Intent Navigation
Weaknesses CWE-284

Wed, 27 May 2026 16:30:00 +0000

Type Values Removed Values Added
Description SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
References

Subscriptions

Actuator Com.sp.protector.free
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T15:51:34.786Z

Reserved: 2025-12-24T00:00:00.000Z

Link: CVE-2025-68712

cve-icon Vulnrichment

Updated: 2026-05-28T15:51:25.321Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T17:16:29.063

Modified: 2026-05-28T17:16:19.543

Link: CVE-2025-68712

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:22:25Z

Weaknesses