On May 30, 2025, CERT Polska took the lead in revealing three notable security vulnerabilities that impact preinstalled Android applications on smartphones produced by Ulefone and Krüger&Matz. These vulnerabilities, identified as CVE-2024-13915, CVE-2024-13916, and CVE-2024-13917, pose significant risks to users, including unauthorized device resets, potential theft of sensitive PIN codes, and privilege escalation by malicious applications.
Technical Breakdown of the Vulnerabilities
The following table encapsulates the essential details of the reported vulnerabilities:
| CVE ID | Product | Vendor(s) | Affected Versions | CWE Type & Description |
|---|---|---|---|---|
| CVE-2024-13915 | com.pri.factorytest | Ulefone, Krüger&Matz | All through 1.0 | CWE-926: Improper Export of Android Application Components – Unrestricted access to FactoryResetService enables factory reset by any app. |
| CVE-2024-13916 | com.pri.applock | Krüger&Matz | 13 | CWE-497: Exposure of Sensitive System Information – Malicious apps can steal the user’s PIN via an exported content provider. |
| CVE-2024-13917 | com.pri.applock | Krüger&Matz | 13 | CWE-926: Improper Export of Android Application Components – Exposed activity allows privilege escalation with knowledge of the PIN. |
Factory Reset Service Exposure
The com.pri.factorytest application, which comes preinstalled on devices from Ulefone and Krüger&Matz, exposes the com.pri.factorytest.emmc.FactoryResetService. Due to inadequate export controls, any installed application can invoke this service, potentially executing a full factory reset and erasing all user data without consent. This vulnerability falls under CWE-926, which pertains to failures in properly restricting exported Android components, thus allowing unauthorized app interactions.
xml
AppLock PIN Exfiltration
On Krüger&Matz devices, the com.pri.applock application is designed to secure other applications using a user-defined PIN or biometric data. However, the com.android.providers.settings.fingerprint.PriFpShareProvider content provider exposes a public query() method, enabling any app, regardless of permissions, to extract the user’s PIN. This scenario exemplifies CWE-497, where sensitive system information is made accessible to unauthorized entities.
javaCursor cursor = getContentResolver().query(
Uri.parse("content://com.android.providers.settings.fingerprint.PriFpShareProvider"),
null, null, null, null);
// Malicious app can read PIN from cursor
Intent Injection via Exposed Activity
Additionally, the com.pri.applock (version 13) is affected by an exported activity, com.pri.applock.LockUI, which can be invoked by any application. A malicious app could inject arbitrary intents with system-level privileges into protected applications, provided it has access to the PIN, which can be compromised via CVE-2024-13916. This situation again illustrates CWE-926, highlighting the improper export of Android components that can lead to privilege escalation and unauthorized access.
xml
Coordinated Disclosure and Security Implications
CERT Polska has effectively managed the responsible disclosure process, underscoring the significance of coordinated vulnerability management within the Android ecosystem. These vulnerabilities highlight the urgent need for stringent export controls on Android components and the robust protection of sensitive user data. Users of the affected devices are encouraged to seek firmware updates or mitigations from their vendors and to remain vigilant regarding app permissions and any unusual behavior exhibited by their devices.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
