Key Takeaways:
- Pre-installed launcher lets remote servers silently install/remove/replace apps and run code with system privileges
- Insecure networking library (xUtils3) makes the app-control channel vulnerable to MITM attacks
- Quokka’s researchers uncovered this hidden launcher vulnerability via Q-mast analysis
Quokka’s researchers recently dug into a modified version of the Android launcher app and found it had the ability to silently install, remove, and replace other apps on your phone all over a connection that barely checks who it’s talking to. In addition, it checks every four hours to see if there is code available to download and execute with system level privileges.
What’s a launcher?
On Android, the “launcher” is the app that acts similar to a home screen on a desktop computer; it shows your app icons, widgets, and notifications. The Android Open Source Project (AOSP), the core Android code from Google, provides a stock launcher app with a package name of com.android.launcher3, which device makers are free to use as a template to customize and extend since Android is open source. This openness is generally a good thing, although it also means a phone vendor can quietly “bolt on” extra functionality that has nothing to do with typical launcher behavior.
Meet the Prize Launcher aka “PriLauncher”
An Original Design Manufacturer (ODM) called Prize modified the stock AOSP launcher and shipped it under the same package name as the AOSP launcher, com.android.launcher3, so it looks like the normal, harmless launcher at first glance. Our researchers refer to this modified app “PriLauncher” after the filenames PriLauncher.apk and PriLauncher3QuickStep.apk found in the firmware.
This modified launcher turned up in production firmware from several budget Android vendors, including BLU, Gigaset, and Doogee, with at least one confirmed vulnerable model from each. A device from another vendor, Lava, also contained the same code, though a system property currently keeps the feature dormant on that device.
After the researchers responsibly disclosed the issue, most affected vendors patched it via a system update with the exception of the Gigaset GX4 Pro, which reportedly remains unpatched.
The hidden features: remote app control and arbitrary code execution
Buried inside PriLauncher are capabilities that let a remote server — presumably operated by Prize — perform actions to the device without requiring any input from the user. The supported actions include installing and uninstalling apps, silently replacing apps, tweaking the home screen itself by swapping icons and titles, and dropping in widgets. All of this happens invisibly and the typical user would likely never notice.
The capabilities resemble legitimate “silent install” services some carriers and device makers use to automatically install apps without user consent. The difference is that PriLauncher’s version of this capability was built on a shaky security foundation.
On top of the app-management features, PriLauncher can also fetch a Dalvik Executable (DEX) file (compiled Android code) from a remote server, load it, and execute it — with “system”-level privileges — roughly every four hours. In other words, it’s a built-in mechanism for running arbitrary code on the device on a recurring schedule.
The security problem: an Networking library that trusts everything
The app-management traffic relies on a networking library called xUtils3, which doesn’t validate SSL/TLS certificates by default. This allows attackers using a Man-in-the-Middle (MITM) attack to impersonate Prize’s servers. While apps using xUtils3 library superficially appear to have secure network communications, this is not the case since there is no validation of SSL/TLS certificates for HTTPS connections. Therefore, any SSL/TLS certificate is received even if the domain does not match and there is no chain of trust to a root Certificate Authority on the device.
That means an attacker capable of intercepting network traffic (for example, on shared a Wi-Fi network) can perform a MITM attack and impersonate Prize’s servers, because the app will accept essentially any certificate it receives
Our researchers confirmed this vulnerability was exploitable in practice. Using network proxy software to intercept and modify network traffic and a simple proxy configuration set through the phone’s Settings app, we were able to inject responses and manipulate the app-management channel on stock, unmodified Android devices that contained the PriLauncher app.
Beyond the PriLauncher app, there are other Android apps that use the vulnerable xUtils3 library. Researchers point to data suggesting thousands of apps on the Google Play Store use it, with hundreds still active, meaning this isn’t necessarily an isolated problem confined to one launcher. Quokka provides a Software Bill of Materials (SBOM) solution that identifies libraries used by mobile apps, even when the libraries are obfuscated.
The dynamic code loading channel
Interestingly, the dynamic code loading feature doesn’t rely on the vulnerable xUtils3 library, but the download URL can still be downgraded from HTTPS to HTTP via a MITM attack. The mitigating factor is that any downloaded DEX file must carry a valid signature from a specific DSA private key before PriLauncher will load and execute it, which means an attacker would also need access to that private key to weaponize this particular pathway directly.
Still, combined with the insecure app-management channel, the overall picture is troubling: a pre-installed, privileged app that phones home every few hours for code to dynamically execute and can install or remove software without user consent. This introduces risk to users by allowing an ODM to constantly check for arbitrary code to download and execute and outside of the typical system update process.
The bigger picture
The table below provides a snapshot of our findings from scanning PriLauncher with Quokka’s automated app analysis platform, Q-mast.
| Vulnerability | Description |
|---|---|
| Remote App Management (CVE-2025-58398) | Network communications vulnerable to MITM attacks due to the use of an insecure trust manager that exposes the ability to install or uninstall arbitrary apps in addition to other app management functions. |
| Factory Reset (CVE-2025-58399) | Local third-party apps, even those with zero-permissions, can trigger a factory reset operation on the device. In addition, by leveraging the Remote App Management vulnerability, this issue is expanded by allowing an attacker to remotely trigger the factory reset operation. |
| Inclusion of Libraries Containing Known Vulnerabilities | Both observed versions of the “PriLauncher” app contain outdated libraries with known vulnerabilities, including “High” risk vulnerabilities CVE-2021-22569, CVE-2021-22570, CVE-2022-3509, CVE-2022-3510, and CVE-2024-7254, and a “Medium” risk vulnerability CVE-2022-3171. |
| Allows Cleartext HTTP Traffic | Both observed versions of the “PriLauncher” app contain code site(s) indicating the permitted use of HTTP. HTTP is inherently insecure as it provides no confidentiality, integrity, or authenticity guarantees. |
| Contains Hardcoded Cryptographic Initialization Vectors (IVs) | Both observed versions of the “PriLauncher” app contain code site(s) indicating the use of hardcoded cryptographic IVs. By not using secure random IVs generated at runtime, the security posture of sensitive data is weakened and encrypted data is more vulnerable to exposure. |
| Allows Backup | Both observed versions of the “PriLauncher” app contain settings that allow their private app files to be externally backed up and restored with USB access, causing a potential loss of confidentiality and integrity. There is a backup policy which specifies a subset of files to be backed up. |
| SQL Injection | Both observed versions of the “PriLauncher” app contain code site(s) indicating it is vulnerable to SQL injection attacks, where unsanitized user input is executed in an SQL statement. |
| Improperly Configured File Provider | Both observed versions of the “PriLauncher” app contain one or more file provider(s) that use the broadest scope available (i.e., “< root-path >“) from which to provide files. This is insecure and its use is discouraged since it unnecessarily exposes various files on the system that the “PriLauncher” app can access. This is particularly relevant since the “PriLauncher” app executes with “system” privileges, which exposes files on external storage and private files of other apps that also execute with “system” privileges. |
| Path Traversal | The “PriLauncher” app (ver. 14.0.240810) contains a code site indicating use of external input used for a file deletion operation. Improperly protecting File I/O operations as identified here may result in the loss of user data. |
This case is a reminder that the security of an Android device isn’t just about the apps you choose to install — it’s also about everything that ships with the phone before you ever turn it on. A modified system component, hiding behind a familiar package name, can carry capabilities far beyond its apparent job description, and those capabilities are only as safe as the weakest networking library used to control them.
For now, if you own one of the affected devices, particularly a Gigaset GX4 Pro, it’s worth consistently checking for system updates and being cautious about which networks you connect to until a patch is available.
Read the full technical report for more details.
