Remote Code Execution Vulnerabilities
Researchers discovered a collection of Remote Code Execution (RCE) vulnerabilities in the Portable SDK for UPnP, or libupnp component – a software library used by mobile devices, routers, smart TVs, and other IoT devices to stream media files over a network.
"We found 547 apps that used older versions of libupnp, 326 of which are available on the Google Play store," Trend Micro mobile analyst Veo Zhang wrote in a blog post published Thursday.
Vulnerable Apps Downloaded by Millions of People
The biggest app affected by the flaw is QQMusic, which is used by over 100 Million people in China alone and has been downloaded by millions of Android users from the Google Play store. However, the security issue has since been fixed by the developers.
"Upon further clarification with Netflix, we learned that Netflix uses their own fork of libupnp due to an API that is no longer a part of newer libupnp versions. However, their fork contains the fixes from newer versions of libupnp as well, so we believe they are not affected by potential remote code execution attacks targeting this vulnerability."
List of Vulnerable Apps
HexLink Remote (TV client)
HexLink-SmartTV remote control
Hisense Android TV Remote
nScreen Mirroring for Samsung
Ooredoo TV Oman
PictPrint – WiFi Print App –
Smart TV Remote
에브리온TV (무료 실시간 TV)
Though the makers of QQMusic and LinPhone have addressed the issue and released fixes for their apps, users are advised to check their devices for one of these apps and if discovered, simply removed it or check for an update.