-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

KL-001-2026-001: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking

Title: yintibao Fun Print Mobile Unauthorized Access via Context Hijacking
Advisory ID: KL-001-2026-001
Publication Date: 2026-01-08
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.txt


1. Vulnerability Details

     Affected Vendor: yintibao
     Affected Product: Fun Print Mobile
     Affected Version: 6.05.15
     Platform: ARM64 - Android
     CWE Classification: CWE-926: Improper Export of Android
                         Application Components
     CVE ID: CVE-2025-15464


2. Vulnerability Description

     Exported Activity allows external applications to gain
     application context and directly launch Gmail with inbox access,
     bypassing security controls.


3. Technical Description

     * Performed on Android 13 aarch64 - Samsung (Galaxy Tab A7 Lite)
     * Using Frida client on Ubuntu 24.04 LTS - Frida server on
       Samsung Rooted Device.
     * The target Activity is exported true. Which means any
       application may interact with it, given that permissions are
       provided.
     * The attacking host needs to attach the device email to the
       application; then the account can be used by the application.

     The PandoraEntry activity is exported (android:exported="true")
     and processes external intents without validation.  Below is
     the PandoraEntryActivity code:

       protected void onCreate(Bundle bundle) {
           // ... INITALIZATION CODE ...  super.onCreate(bundle);

           // BELOW EXTERNAL INTENT ACCEPTED WITHOUT VALIDATION Intent
           intent = getIntent();

           // ... PROCESSING CONTINUES WITH UNVALIDATED INTENT ...
           if (intent.hasExtra(IntentConst.START_FROM_TO_CLASS) &&
           SDK.isUniMPSDK()) {
               String stringExtra =
               intent.getStringExtra(IntentConst.START_FROM_TO_CLASS);
               if (!TextUtils.isEmpty(stringExtra) &&
               stringExtra.startsWith("io.dcloud.feature.sdk.multi")) {
                   intent.setClassName(getPackageName(), stringExtra);
                   intent.removeExtra(IntentConst.START_FROM_TO_CLASS);
               }
           } else {
               intent.putExtra(IntentConst.WEBAPP_SHORT_CUT_CLASS_NAME,
               PandoraEntry.class.getName()); intent.setClass(this,
               PandoraEntryActivity.class);
           }

           //UNVALIDATED INTENT FORWARDED startActivity(intent);
           overridePendingTransition(0, 0);
       }


4. Mitigation and Remediation Recommendation

     No response from vendor. There are no known mitigations to
     end-users of the affected application version(s).

5. Credit

     This vulnerability was discovered by Felix Segoviano of
     KoreLogic, Inc.


6. Disclosure Timeline

     2025-12-01 : KoreLogic requests security contact from vendor
                  via weizhengsl@vip.qq.com and 277517409@qq.com.
     2025-12-08 : KoreLogic submits vulnerability details to vendor
                  via weizhengsl@vip.qq.com and 277517409@qq.com.
     2026-01-08 : KoreLogic public disclosure.


7. Proof of Concept

     URL: https://korelogic.com/Resources/Advisories/KL-001-2026-001.poc.js.txt
     SHA256sum: ddb3c840c94b204fbbe2931a68771ae28d8ea9c778310cfa83e218a64a41ffd5



The contents of this advisory are copyright(c) 2026
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
-----BEGIN PGP SIGNATURE-----

iQJqBAEBCABUFiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmlgEwUbFIAAAAAABAAO
bWFudTIsMi41KzEuMTEsMiwyGhxkaXNjbG9zdXJlc0Brb3JlbG9naWMuY29tAAoJ
EAyi7Ak5VpHpzZ8P/2qCsUv0UUDoOF6AxM10bAn5L6UrgZO6JnEmTz6gZuRLco8j
6AQfBmCke9pSb9/lgoM3mvA39DjyLMT5/lfzxC3B9XOQEYWe5gnVNYv7T8mhzAjr
LuwMQ/jzgAy3I/fMFk4tcShBIdtVZnYjZywfv5D+r/USqgAbpkJs50l07oH86hm8
j/0y3/t3WjiF8jg6Skf2LCfRDw6LGZWIcDN9bbwsWZd2Q8xVsqm8TwHg5cSjd8bL
/8kpwpxkfGj36lHd4zxYXPG3Bjms8l0Hn7qBMx7dB7DWiQUHQ7AtJ25xRPAZg/s9
SV/U6Xw2jcyM8Fo1m6hKA1JJs6oFVWjcc3VI/x8Yf0A18BnpOgQk6YLtRiVm2dvk
bfwNhcdbiBqaFxpAveNGSJZgfC/A80FB4RGn5rSlPOUhdIFTu7bxm/V2BPvcFMtY
dHrcOIHzawH43pnoD15Nl+wamoL7yFwsY+avcxDSOEMW/Dl1nEq7ByNUFYd+0neK
77vC5+1f+rUSvusqTeQRAy9zJp9SRZJEsKYUPOJCEKf7oFxBb2bVFyz3M466jFE8
DBYoTsJIZJi9yOB8BYT9jFwH3AGMiH0dHJ6uuzVevEggRKJk2/yi1/QtVNXcTKAw
P6ro5YBzOBXvltB4uQaB7eL5yQB0AHfEGDYUYKNKRaMU5+c0QQVaA6+Pu/53
=Ja51
-----END PGP SIGNATURE-----