Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application.
A brief description of the three flaws is as follows –
- CVE-2024-13915 (CVSS score: 6.9) – A pre-installed “com.pri.factorytest” application on Ulefone and Krüger&Matz smartphones exposes a “com.pri.factorytest.emmc.FactoryResetService” service that allows any installed application to perform a factory reset of the device.
- CVE-2024-13916 (CVSS score: 6.9) – A pre-installed “com.pri.applock” application on Kruger&Matz smartphones allows a user to encrypt any application using user-provided PIN code or by using biometric data. The app also exposes a “com.android.providers.settings.fingerprint.PriFpShareProvider” content provider’s “query()” method that permits any malicious app already installed on the device by some other means to exfiltrate the PIN code.
- CVE-2024-13917 (CVSS score: 8.3) – A pre-installed “com.pri.applock” application on Kruger&Matz smartphones exposed an “com.pri.applock.LockUI” activity that allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application.
While exploiting CVE-2024-13917 requires an adversary to know the protecting PIN number, it could be chained with CVE-2024-13916 to leak the PIN code.
CERT Polska, which detailed the vulnerabilities, credited Szymon Chadam for responsibly disclosing them. However, the exact patch status of these flaws remain unclear. The Hacker News has reached out to both Ulefone and Krüger&Matz for additional comment and we will update the story if we hear back.
