CVE-2025-56608

MEDIUM

Android Corona Virus Tracker App India 1.0 - Authentication Bypass via MD5 Digest Spoofing

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-56608. PoCs published by anonaninda.

AI-analyzed exploit summary This is a technical writeup detailing the use of the broken MD5 cryptographic algorithm in the Corona Virus Tracker App India v1.0, specifically in the authentication mechanism. It includes vulnerability details, affected files, and recommendations for remediation.

Description

The SourceCodester Android application "Corona Virus Tracker App India" 1.0 uses MD5 for digest authentication in `OkHttpClientWrapper.java`. The `handleDigest()` function employs `MessageDigest.getInstance("MD5")` to hash credentials. MD5 is a broken cryptographic algorithm known to allow hash collisions. This makes the authentication mechanism vulnerable to replay, spoofing, or brute-force attacks, potentially leading to unauthorized access. The vulnerability corresponds to CWE-327 and aligns with OWASP M5: Insufficient Cryptography and MASVS MSTG-CRYPTO-4.

Exploits (1)

nomisec WRITEUP

by anonaninda · poc

https://github.com/anonaninda/Aninda-security-advisories

View Code ZIP pw:eip

This is a technical writeup detailing the use of the broken MD5 cryptographic algorithm in the Corona Virus Tracker App India v1.0, specifically in the authentication mechanism. It includes vulnerability details, affected files, and recommendations for remediation.

Classification

Writeup 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Theoretical

Target: Corona Virus Tracker App India v1.0

No auth needed

Prerequisites: Access to the APK for reverse engineering

MITRE ATT&CK

T1110 - Brute Force

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Technical Description

https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#identifying-insecure-andor-deprecated-cryptographic-algorithms-mstg-crypto-4

View Writeup ZIP pw:eip

Third Party Advisory

https://github.com/anonaninda/Aninda-security-advisories/blob/main/CVE-2025-56608.md

View Writeup ZIP pw:eip

Product

https://www.sourcecodester.com/android/14292/android-corona-virus-tracker-app-india-using-b4a.html

Scores

CVSS v3 4.2

EPSS 0.0030

EPSS Percentile 21.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (1)

donbermoy/android_corona_virus_tracker_app_for_india 1.0

Published Sep 03, 2025

Tracked Since Feb 18, 2026