CVE-2018-17400

Name of the Vulnerable Software and Affected Versions PhonePe wallet (aka com.PhonePe.app) versions 3.0.6 through 3.3.26

Description The issue might allow attackers to perform Account Takeover attacks by intercepting the user name and PIN during the initial configuration of the application. To exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app. The Android platform provides fair warnings to the users before turning on accessibility for any application. This is similar to installing malicious keyboards or malicious apps taking screenshots.

Recommendations For versions 3.0.6 through 3.3.26, consider disabling the accessibility permission for any newly installed applications until a patch is available. Restrict the installation of applications from untrusted sources to minimize the risk of exploitation. Avoid providing accessibility permission to applications that do not require it.