Impact
An Android application designed for file transfer, Rakuten Send Anywhere, is affected by a flaw that permits any untrusted app without permissions to compel the target app to download arbitrary files into its scoped storage. The victim files become visible in the trusted Received list, enabling the attacker to supply an APK that can be executed, thereby potentially achieving code execution. If the attacker supplies a large file, the target app may also suffer a denial of service by exhausting local resources.
Affected Systems
The flaw affects Rakuten Send Anywhere version 23.2.9 running on Android devices; only this version is listed as vulnerable.
Risk and Exploitability
The CVSS score of 8 indicates high severity, but the EPSS value of less than 1 % suggests that exploitation in the wild is currently unlikely. The vulnerability is not yet recorded in CISA’s KEV catalogue. The exploit requires the presence of a malicious background app that can issue download requests, so the attack surface is limited to devices where such untrusted apps are installed and able to trigger the attack.
OpenCVE Enrichment