Preloaded Android applications on Ulefone and Krüger & Matz smartphones disclose three security vulnerabilities that allow apps installed on devices to perform a factory reset and encrypt the application.
A brief explanation of the three defects is as follows –
- CVE-2024-13915 (CVSS score: 6.9) – The “com.pri.factorytest” application pre-installed on ulefone and Krüger & matz smartphones will publish “com.pri.factorytest.emmc.factoryreseStervice”.
- CVE-2024-13916 (CVSS Score: 6.9) – The “com.pri.applock” application pre-installed on your Kruger & Matz smartphone allows you to encrypt your application using user-supplied PIN code or using biometric data. The app also exposes the “query()” method of the “com.android.providers.settings.fingerprint.prifpshareprovider” content provider. This will remove the PIN code for malicious apps already installed on your device by other means.
- CVE-2024-13917 (CVSS score: 8.3) – The “com.pri.applock” application pre-installed on Kruger & Matz smartphones has released the “com.pri.applock.lockui” activity.
To take advantage of CVE-2024-13917, you need to know the protection pin number to the enemy, but you can chain it with CVE-2024-13916 to leak the PIN code.
Cert Polska, who detailed the vulnerability, was praised by Szymon Chadam for his responsible disclosure. However, the exact patch status of these defects remains unknown. Hacker News has asked both Ulefone and Krüger & Matz for additional comments and will update the story if there is a reply.
