CVE-2018-14992

Name of the Vulnerable Software and Affected Versions ASUS ZenFone 3 Max Android device with a build fingerprint of asus/US Phone/ASUS X008 1:7.0/NRD90M/US Phone-14.14.1711.92-20171208:user/release-keys

Description The pre-installed platform app com.asus.dm (versionCode=1510500200, versionName=1.5.0.40 171122) has an exposed interface in an exported service named com.asus.dm.installer.DMInstallerService. This allows any app co-located on the device to use its capabilities to download an arbitrary app over the internet and install it. To exploit this, an app can send an intent with specific embedded data, including download URL, package name, version name from the app's AndroidManifest.xml file, and the MD5 hash of the app. The same unprotected component can also be used to programmatically uninstall apps installed using this method.

Recommendations For the ASUS ZenFone 3 Max Android device, consider disabling the com.asus.dm.installer.DMInstallerService service until a patch is available to prevent arbitrary app downloads and installations. Restrict access to the com.asus.dm app to minimize the risk of exploitation. Avoid using the com.asus.dm.installer.DMInstallerService service for app installation and uninstallation until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.