Threat Guidances
Vulnerability
March 20, 2020

Voatz App Security Flaws

How Lookout Detects and Protects

For application developers, especially those developing apps that collect highly sensitive data tied to industries like finance, healthcare, and government, security must be baked in. Protection against threats like runtime hooking with frameworks like xPosed is a key component of ensuring their app is secure. They can do so by embedding the Lookout App Defense SDK for threat detection and wrapping the application with Lookout Anti-tampering solution, which is created in partnership with Promon. Promon Shield ensures that the code cannot be reverse engineered and prevents other processes from hooking into the application code at runtime.

Overview

Recently, news broke of multiple vulnerabilities in the Voatz mobile voting app, which was going to be used by both Oregon and West Virginia to allow voting by people who are physically unable to make it to the polls. The vulnerabilities, discovered by researchers at MIT, could allow hackers to see someone’s vote or even change their vote. Specifically, the researchers noted that malware with root access to a voter's mobile device could bypass the host protection provided by Zimperium’s zIAP SDK. According to the researchers, the SDK can be disabled via the xPosed Framework and four lines of code by using a hooking utility to alter the application's control flow. After that, an attacker with root access can commandeer the app to alter the interface and do things such as divert votes and leak ballots and personal data to an external server.

Lookout Analysis

Lookout Application Defense SDK and Lookout Mobile Endpoint Security (MES) will detect xPosed Framework. In order to provide full anti-tampering coverage, Lookout has partnered with Promon to provide an anti-tampering solution that protects apps against runtime hooking scenario as described by the MIT researchers. For an attack like this to be successful, xPosed framework requires the device to be rooted. Lookout SDK’s advanced device compromise module would uncover rooting techniques such as Magisk and Magisk Hide.

Authors

Lookout

Endpoint Security
Entry Type
Threat Guidances
Threat Type
Vulnerability
Platform(s) Affected
Threat Guidances
Vulnerability

Related Content

CVE-2025-31200-31201 Update

CISA recently added guidance to CVE-2025-31200, a memory corruption issue, and CVE-2025-31201, an arbitrary read and write issue.

Read Threat Article

CVE-2025-24201 on iOS

CISA recently provided guidance for CVE-2025-24201, an out-of-bounds write issue in WebKit. There has been evidence of active exploitation of this CVE.

Read Threat Article

Vulnerability Affecting Apple devices

CISA recently added guidance to CVE-2025-24085, a use-after-free issue, which affects Apple devices running on visionOS, iOS, iPadOS, macOS, tvOS, and watchOS.

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell