A preferred Android parental management app carried a number of vulnerabilities which allowed the kids to bypass parental controls, and risk actors to put in malware or steal delicate information from the flawed gadgets.

The app in query is known as Parental Management – Youngsters Place, constructed by an organization referred to as Kiddowares. It has greater than 5 million downloads on Google Play, and gives all types of parental management options, from monitoring and geolocation, to web restrictions and cost restrictions. Mother and father may also monitor how their youngsters spend time on the machine, and ensure they’re secure from any malicious content material.

The findings had been outlined in a report from cybersecurity researchers SEC Seek the advice of, which is now urging customers to replace the apps to the newest model instantly.

Deploying malware

Now, SEC Seek the advice of’s researchers discovered variations 3.8.49 and older susceptible to 5 flaws. 

The primary permits risk actors to intercept and decrypt person registration and login information, that means they might be capable to receive delicate info equivalent to login credentials. 

The second, tracked as CVE-2023-29079, permits for cross-site scripting assaults, which risk actors can use to inject malicious scripts into the dashboard of the dad and mom. The third one, tracked as CVE-2023-29078, is a cross-site request forgery (CSRF) flaw, whereas the fourth one permits the attackers to ship recordsdata as much as 10MB in measurement to the kid’s machine.  

This one is especially harmful because the recordsdata are uploaded to an AWS S3 bucket, the place they’re not scanned and will comprise malware. The fifth one, tracked as CVE_2023-28153, permits the kids (or risk actors) to briefly take away all utilization restrictions. Until they manually verify within the dashboard, the dad and mom received’t know this transformation occurred. 

The researchers mentioned that each one variations prior to three.8.50 are susceptible, and have urged the customers to replace, instantly. The patch was launched on February 14, 2023. 

• Listed here are the perfect firewalls (opens in new tab) right now

By way of: BleepingComputer (opens in new tab)