Significant vulnerabilities have been identified in pre-installed applications on Ulefone and Krüger&Matz Android smartphones, raising alarms about potential risks to users. These flaws, disclosed on May 30, 2025, illustrate how the Improper Export of Android Application Components (CWE-926) can jeopardize device security at a fundamental level.
Factory Reset Flaw
Three distinct vulnerabilities have emerged, particularly affecting preloaded applications on these smartphone brands. According to CERT Polska, CVE-2024-13915 specifically targets the com.pri.factorytest application, which is installed during the manufacturing process on both Ulefone and Krüger&Matz devices.
This vulnerability exposes the com.pri.factorytest.emmc.FactoryResetService service, enabling any third-party application on the device to execute an unauthorized factory reset without needing special permissions. The flaw impacts version 1.0 of the factory test application, with updates incorporated into operating system builds released after December 2024 for Ulefone devices and likely after March 2025 for Krüger&Matz smartphones. The service’s improper export settings in the AndroidManifest.xml file create a considerable attack vector for malicious applications.
PIN Code Theft and Intent Injection Attacks
More alarming are the vulnerabilities affecting the com.pri.applock application on Krüger&Matz smartphones, which is designed to secure applications using PIN codes or biometric data. CVE-2024-13916 exploits an exposed content provider known as com.android.providers.settings.fingerprint.PriFpShareProvider.
The vulnerability resides in the public query() method, allowing malicious applications to extract user PIN codes without requiring any Android system permissions. Furthermore, CVE-2024-13917 presents an even graver threat, impacting the exposed com.pri.applock.LockUI activity. This flaw permits malicious applications to inject arbitrary intents with system-level privileges into applications protected by AppLock, potentially enabling attackers to obtain the PIN code through CVE-2024-13916 or manipulate users into revealing their credentials.
Both AppLock vulnerabilities were confirmed in version 13 (version code 33) of the application, although the vendor has not provided detailed information regarding all affected versions. The discovery of these vulnerabilities is attributed to security researcher Szymon Chadam, who responsibly reported the findings to CERT Polska.
Technical analysis indicates that these vulnerabilities stem from CWE-926: Improper Export of Android Application Components. This weakness arises when applications export components for use by other applications but fail to impose adequate access restrictions. The three primary component types affected include Activities (user interfaces), Services (background operations), and Content Providers (data sharing mechanisms).
Security researchers underscore that these flaws illuminate a broader issue of insufficient security practices in pre-installed software. They enable malicious applications to bypass Android’s permission model, gaining unauthorized access to sensitive system functions and user data.
To mitigate similar vulnerabilities in the future, developers are encouraged to explicitly mark components as android:exported=”false” in the application manifest for those not intended for external use. For components that must be shared, implementing signature-based restrictions using android:protectionLevel=”signature” ensures that access is limited to applications signed with the same certificate.
Users of affected devices are advised to check for system updates and consider removing or disabling vulnerable pre-installed applications where feasible until patches are made available.
Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
