Mobile Photo Video Vault are commonly used to prevent access to sensitive data on the phone (such as images, videos, documents and so on). These Photo Video Vault usually offer a vault with your desired password. You can push any secret files to this vault and they would be secure, as the data present in vault is encrypted and would decrypt only when the correct password is entered. The Fake Calculator app is one such mobile Photo Video Vault which boasted that it “encrypts” and secures your confidential files. All this has now become a joke and we will see why!

Fake Calculator app allows you to pick a private passcode and “encrypts” pictures, texts, and any other data from the eyes of anyone who happens to look through your phone or device. For instance, an attacker who has access to the device should not be able to view the original files unless he knows the passcode. The idea is that even if an attacker pulls these files from the device, since they are encrypted, they would mean nothing but junk. But in case of Calculator app, it turned out that if an attacker pulls these encrypted files, he could easily get the original files in a matter of seconds.

The Fake calculator can not be hacked. Secret Calculator app is one of the best safe vault nowadays. If any can not enter the right passcode, the photo vault cannot be opened. Here is the way to hack NQ Vault for who need it. NQ Vault is one of best Photo Video Vault of Android device.

Breaking it step by step

I tried to verify this practically, and here is how easy it turned out to be:

1. Download and install the NQ Vault mobile app from App Store on any Android device. Set your desired passcode (say 000) secret calculator +.
2. Select any secret file (for example apple.png).

3. Now send the image to the NQ Vault using the app. This would mean the file apple.png is encrypted and should have been stored somewhere on the device. This is the message shown by NQ Photo Video Vault:

4. These so called “encrypted” files are stored on the SD card at the location /mnt/sdcard/SystemAndroid/Data. How do I know this? Well just by looking at SQLite files in this case. Also at the above mentioned location, there is a text file saved by the app which says:

5. But these encrypted files are hidden from the user. So initially a simple ‘ls’ on the folder does not reveal anything. But ‘ls’ with –a attribute would reveal all the hidden files, as shown in the following screenshot.

6. The next thing is to pull out this encrypted file to the local machine. I used the adb pull command for this purpose. As seen below, the file is stored with a .bin extension.

7. Now see the HEX representation of this encrypted file:

8. Now just XOR abc.png & the encrypted file:\

9. What this suggests is, based on the passcode selected by the user, it generates a “key” (30 in this case) and just XORs the user’s file with this key Photo Video Vault! Upon investigation, it turned out that this key value is always between 00 and ff, which means 255 possible values. As explained by NinjaDoge24, here are some of the passcodes and their corresponding key values:

Thus, an attacker who has access to the encrypted files just need to brute force XOR with 255 possible values to get the original files back!