CVE-2022-26579

Name of the Vulnerable Software and Affected Versions PAX A930 device with PayDroid versions 7.1.1 Virgo V04.3.26T1 20210419 through 7.1.1 Virgo V04.4.02 20211201

Description The issue allows a root privileged attacker to install unsigned packages on the device. To exploit this, the attacker must have shell access to the device and gain root privileges. This can be done by copying the APK to /data/app, setting the appropriate permissions, and rebooting the device.

Recommendations For PayDroid version 7.1.1 Virgo V04.3.26T1 20210419, consider restricting access to the device's shell to prevent attackers from gaining root privileges. For PayDroid version 7.1.1 Virgo V04.4.02 20211201, avoid using the device's package installation feature until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.