CVE-2017-11129
📋 TL;DR
This vulnerability allows attackers with access to the Android keystore to extract sensitive cryptographic keys due to a hard-coded password. All users of StashCat for Android versions up to 1.7.5 are affected. This compromises the confidentiality of encrypted communications and user authentication.
💻 Affected Systems
- heinekingmedia StashCat
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of encrypted communications, impersonation of users, decryption of stored sensitive data, and potential account takeover across all affected devices.
Likely Case
Extraction of private keys leading to decryption of user communications and stored data, particularly if device is rooted or attacker has physical access.
If Mitigated
Limited impact if keystore access is restricted through device security controls, though vulnerability remains present in the application.
🎯 Exploit Status
Exploitation requires access to the keystore file, which can be obtained through device access, malicious apps, or device compromise. The hard-coded password makes extraction trivial once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 1.7.5
Vendor Advisory: http://seclists.org/fulldisclosure/2017/Jul/90
Restart Required: Yes
Instructions:
1. Update StashCat to version newer than 1.7.5 from Google Play Store. 2. Uninstall and reinstall the application to ensure clean keystore. 3. Generate new cryptographic keys after update.
🔧 Temporary Workarounds
Uninstall vulnerable version
androidRemove the vulnerable application until patched version is available
adb uninstall com.heinekingmedia.stashcat
Device security hardening
androidEnable full device encryption, disable USB debugging, and restrict app installations to prevent keystore access
🧯 If You Can't Patch
- Discontinue use of StashCat for sensitive communications and migrate to alternative secure messaging applications
- Implement device-level security controls including full disk encryption, screen lock with strong password, and disable developer options
🔍 How to Verify
Check if Vulnerable:
Check StashCat version in Android Settings > Apps > StashCat. If version is 1.7.5 or earlier, the device is vulnerable.Check Version:
adb shell dumpsys package com.heinekingmedia.stashcat | grep versionNameVerify Fix Applied:
Verify StashCat version is newer than 1.7.5 and check that new cryptographic keys have been generated in the app settings.📡 Detection & Monitoring
Log Indicators:
- Unusual keystore access patterns
- Multiple failed authentication attempts to keystore
- Unexpected cryptographic operations
Network Indicators:
- Unusual decryption failures
- Suspicious authentication patterns from compromised keys
SIEM Query:
source="android" app="StashCat" (event="keystore_access" OR event="crypto_failure")