Cybersecurity News
Research

OPPO Kash Android app wants your device root access

OPPO Kash Android app wants your device root access

OPPO Kash android application has root access bug which means the application requests for full permission from the user Their security team rejected the bug

OPPO Kash is an all-inclusive financial services application where the entire India takes a step towards financial freedom, with right from insurance to loans, mutual fund investments and more. OPPO Kash caters to the growing financial needs of individuals and SMEs of India that have been conventionally deemed as a risky segment for organised lending, perhaps due to a lack of credit history. We partner with India’s top fund houses for investments and leading lenders for loans.

About the bug

OPPO Kash android application has root access bug which means the application requests for full permission from the user Their security team rejected the bug saying “No Danger” This bug is same as what happened to Paytm a top payments application of India earlier. This permission need not be requested by any financial applications Once root access is given, the application can takeover the android device just like an administrator, execute any code on the device, take photos, microphone and files “No danger” of severity is not true. All apps don’t ask for root privilege even if the device is rooted.

Q&A

What would be the scope of the bug?

Android devices — All Smartphones including OPPO — Why should users be concerned about it? Considering this is a financial application, root access should never be asked. The intention of the application developers and the company is not right. Being an application that would be available in OPPO smartphones as well as on Google Play store accessible to all brands of devices, this is an important issue.

Banking applications work on trust and this should not be trusted at all — How did you spot the issue?

I was randomly going through the android play store when I spotted this application. So thought to install it and try it out.

Does it have any impact on phones that aren’t rooted?

The Oppo Kash application does asks for root access, the device has to be rooted for the android system to provide superuser privilege to the application. So if the device is not rooted, even if the application attempts to request permission the superuser access won’t be provided by the android system.

Conclusion

Gaining root access of Android is the process of modifying the operating system that shipped with your Android device to grant you complete control over it. It can access all apps information, System files, chat details, photos, video, microphone, camera, GPS, Bluetooth as well as update/delete user settings on the device. This is not an android permission issue.

Remediation

OPPO Kash application should not request for root privileges

Evidence