VYPR
← All advisories
Unrated severityNVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2025-68712

CVE-2025-68712

Description

SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

SpSoft AppLock 7.9.40 for Android allows local attackers to bypass fingerprint/PIN authentication via insecure overlay navigation, exposing protected apps.

Vulnerability

SpSoft AppLock (com.sp.protector.free) version 7.9.40 integrates Android's biometric authentication but implements a custom overlay for the lock screen. The overlay fails to consistently enforce authentication after being dismissed, allowing the lock interface to be bypassed. The vulnerability is reachable when the app is configured to protect other applications (e.g., Chrome) and the device is in an unlocked state after initial authentication. [1][2]

Exploitation

An attacker with physical access to the device can navigate through cascading interface flows, such as exposed routes triggered by advertisement or browser intents, to exit the lock interface without re-authentication. This does not require elevated privileges or prior knowledge of the user's PIN or fingerprint. [2]

Impact

Successful exploitation allows the attacker to access protected apps (e.g., Chrome) without authentication, leading to information disclosure of sensitive data stored within those apps. The attacker also gains unauthorized privilege escalation by bypassing the app's security controls. [1][2]

Mitigation

As of the publication date, no official fix has been released by SpSoft. Users should consider using alternative app lockers or monitor the Google Play Store for updates to version 7.9.40. The app is not listed on the CISA KEV. [1][2]

References
  1. AppLock - Fingerprint - Apps on Google Play
  2. com.sp.protector.free/CVE-2025-68712 at main · actuator/com.sp.protector.free

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.