2025-08-04 –, Florentine A
Trend Micro Mobile Security (TMMS) is a solution widely trusted by enterprises to defend Android devices. But what if the protection becomes the threat? In this talk, I reveal how the very software meant to secure mobile endpoints can be exploited to compromise them. During my research, I identified three vulnerabilities, two confirmed by the vendor.
First, I found that TMMS exposes sensitive security reports online without requiring authentication, revealing device data to anyone. Second, I uncovered a persistent stored XSS sent from Android agents during scans. This payload executes in the browser of any who accesses the report, allowing attackers to inject further malicious scripts. Lastly, I’ll discuss a memory-level manipulation identified during dynamic analysis of the scan routine, which could lead to code execution. These flaws present a high-impact attack surface individually, and a dangerous chain if combined.
This presentation includes recorded demos and a deep dive into the methodology used to discover these issues. It is tailored for red teamers, offensive security professionals, and researchers focused on mobile and infrastructure security.
This talk is the result of hands-on vulnerability research focused on Trend Micro’s enterprise-grade mobile security solution, TMMS. The project began with a simple question: Can the tools used to protect mobile devices be turned against themselves? That curiosity led to a series of discoveries, two of which Trend Micro acknowledged as confirmed security issues.
The first vulnerability centers on unauthenticated access to TMMS's device report pages. These pages expose scan histories, app inventories, and device status, all accessible without any form of authentication. This flaw represents a significant breach of confidentiality, offering an attacker valuable insights about an organization’s device fleet and security posture.
Digging deeper, I found that these unauthenticated reports also served as a perfect delivery channel for a stored cross-site scripting attack. By modifying the name of an app on an enrolled Android agent, a value later displayed in the web console, I was able to inject JavaScript directly into the report page. Since this page is rendered without sanitization and without login, the script executes in the browser of any administrator or user who accesses it.
The final and most technically complex finding lies within the TMMS Android agent. While inspecting its scan routines via reverse engineering and dynamic testing, I identified a potential path to code execution. By altering function parameters in memory during an antivirus scan, it may be possible to invoke unintended behavior, including spawning a reverse shell. Although Trend Micro has not confirmed this issue, preliminary results suggest the feasibility of remote command execution through controlled memory manipulation, especially if initiated from a compromised server or malicious agent.
My talk will take attendees through each phase of the research: from initial reconnaissance and passive analysis to deeper reverse engineering of the Android APK and memory manipulation during runtime. I will demonstrate how these flaws intersect and discuss the viability of chaining them into a full exploit path. The narrative will include recorded demos, such as viewing a report without credentials, triggering XSS via Android scan, and memory patching leading to command execution, to help make the technical impact tangible.
Beyond showcasing vulnerabilities, I’ll reflect on disclosure, vendor response, and the implications for other mobile security products. Attendees will leave with a deeper appreciation for the risks hidden in trusted software, as well as techniques they can apply to analyze similar solutions.
Lucas Carmo is a seasoned offensive security researcher and co-founder of Hakai Security, a Brazilian consultancy focused on red teaming, vulnerability research, and exploit development. With over eight years of experience in cybersecurity, Lucas holds respected certifications including OSWE (Offensive Security Web Expert), Offensive Security Wireless Professional (OSWP), and GMOB (GIAC Mobile Device Security Analyst). He has discovered multiple CVEs in widely used platforms such as Trend Micro Mobile Security, Nagios, PRTG, 3CX, and Centreon.
Lucas leads Delta7, Hakai’s advanced research division, where he guides a team of specialists in dissecting complex security flaws across web and Android environments. He has contributed to open-source projects like the ReconFTW web interface and frequently shares insights through blog posts, technical write-ups, and conference presentations.
Beyond the code, Lucas is passionate about tattoos and art. He sees hacking as a creative discipline that requires abstract thinking, intuition, and an artistic mindset. To him, connecting pieces of a system to uncover a vulnerability is like crafting a powerful visual composition: messy in the process, but beautiful in its outcome.