Three security vulnerabilities have been discovered in preloaded Android applications on
smartphones from Ulefone and Krüger&Matz. These flaws could allow any installed application to carry out a factory reset or encrypt another app on the device.
Below is a brief summary of the three issues:
CVE-2024-13915 (CVSS score: 6.9): The pre-installed "com.pri.factorytest" application on Ulefone and Krüger&Matz smartphones exposes the "com.pri.factorytest.emmc.FactoryResetService" service. This service allows any installed app to trigger a factory reset of the device.
CVE-2024-13916 (CVSS score: 6.9): The "com.pri.applock" app, pre-installed on Krüger&Matz smartphones, enables users to encrypt any application using a PIN code or biometric data. It also exposes the "query()" method of the "com.android.providers.settings.fingerprint.PriFpShareProvider" content provider. This method can be used by a malicious app to extract the user's PIN.
CVE-2024-13917 (CVSS score: 8.3): The same "com.pri.applock" app on Krüger&Matz devices exposes a "com.pri.applock.LockUI" activity. This activity allows any malicious application, even those without special system permissions, to inject arbitrary intents with system-level privileges into a protected app. While exploiting this vulnerability requires knowledge of the PIN code, it can be combined with CVE-2024-13916 to obtain that information.
CERT Polska, which reported the vulnerabilities, credited researcher Szymon Chadam for the responsible disclosure. The current patch status of these vulnerabilities remains uncertain. The Hacker News has contacted Ulefone and Krüger&Matz for comment and will provide updates as more information becomes available.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
