Animal Sounds and Ringtones App Exposes Critical File Overwrite Flaw

A critical security flaw in the popular Animal Sounds and Ringtones app allows attackers to overwrite any file within the app's internal storage, creating a direct path to potential code execution and data theft. The vulnerability, found in version V1.3.0 of the app published by PEAKSEL D.O.O. NIS, stems from a complete lack of security validation in its file import feature. A malicious actor can exploit this by crafting a file with a controlled name and content, using path traversal techniques to target and replace sensitive internal files.

The flaw resides in the `com.bra.classes.ExternalProcessorActivity` component. By manipulating the import process, an attacker can overwrite critical configuration, database, or even executable files. This could lead to the app crashing (denial of service), leaking sensitive user information stored locally, or, in a worst-case scenario, enabling the execution of arbitrary code within the app's context. The app, with over 10 million downloads on Google Play, presents a significant attack surface.

This vulnerability places millions of users at risk of having their devices compromised or their data exposed. The severity lies in the attacker's ability to persistently alter the app's behavior from within. Developers and security teams must treat this as a high-priority patch, as exploitation does not require user interaction beyond a seemingly normal file import. The discovery underscores the persistent risks in mobile applications that handle external files without proper sanitization and path validation.