CVE-2025-68712: SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to b...
SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
Security readout for executives and security teams
Plain-English summary
CVE-2025-68712 affects SpSoft AppLock for Android version 7.9.40. The app can fail to keep its fingerprint or PIN lock enforced, so someone holding the device may reach apps AppLock was meant to protect. This is mainly a lost-device, shared-device, or insider-access risk.
Executive priority
Prioritize where AppLock protects business data on shared, field, or easily lost Android devices. This is not a remote compromise based on current sources, but it weakens a control users may believe protects sensitive apps after physical access.
Technical view
The CVE describes an authentication bypass in com.sp.protector.free 7.9.40. AppLock uses Android biometrics but enforces access through a custom overlay. Cascading interface flows involving exposed routes via advertisement or browser intents can let a local attacker exit the lock interface without re-authentication.
Likely exposure
Exposure appears limited to Android devices with SpSoft AppLock com.sp.protector.free version 7.9.40 installed and used to protect other apps. The sources do not define wider affected version ranges, enterprise deployment prevalence, or whether patched builds exist.
Exploitation context
The source requires local physical access to the Android device. CVE data does not show KEV listing, public active exploitation, CVSS scoring, or a vendor-confirmed advisory. The GitHub reference appears to provide vulnerability details, but evidence for real-world abuse is not provided.
Researcher notes
The record lacks CVSS, CWE mapping, CPEs, and vendor/product metadata beyond the package and version in the description. Validate scope carefully before broad claims. No source in the bundle names a fixed version or vendor mitigation.
Mitigation direction
Check vendor or Google Play guidance for updated AppLock versions.
Do not treat AppLock as a primary security boundary.
Use Android device-level lock, encryption, and managed-device policies.
Remove or disable AppLock on high-risk shared or managed devices.
Restrict physical access to devices containing sensitive apps.
Validation and detection
Inventory Android devices for package com.sp.protector.free.
Confirm whether installed version is 7.9.40.
Review whether sensitive apps rely on AppLock protection.
Check CVE and vendor sources for patch or version updates.
Perform any reproduction only on authorized test devices.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
description · low confidence lookup
Privilege behavior lookup
The CVE wording references privilege impact, so privilege escalation and authorization behavior review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
0CVSS vectors
3Timeline events
0ADP providers
4Source links
Vulnerability timeline
Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.
CVE reservedCVE Program
The CVE ID was reserved by the assigning CNA.
CVE publishedCVE Program
The CVE record was published.
May 27, 2026, 00:00 UTC (UTC+00:00)
CVE updatedCVE Program
The CVE record metadata indicates this as the latest update time.