CVE-2018-17401

Name of the Vulnerable Software and Affected Versions PhonePe wallet (aka com.PhonePe.app) versions 3.0.6 through 3.3.26

Description The issue allows attackers to perform Account Takeover attacks by exploiting the Forgot Password feature. To exploit this, the user has to explicitly install a malicious app and provide accessibility permission to the malicious app. The Android platform provides fair warnings to the users before turning on accessibility for any application. This is similar to installing malicious keyboards or malicious apps taking screenshots.

Recommendations For versions 3.0.6 through 3.3.26, consider disabling the Forgot Password feature until a patch is available. Restrict access to the accessibility permission to minimize the risk of exploitation. Avoid installing malicious apps and do not provide accessibility permission to untrusted applications.