Three safety vulnerabilities have been disclosed in preloaded Android purposes on smartphones from Ulefone and Krüger&Matz that might allow any app put in on the machine to carry out a manufacturing unit reset and encrypt an utility.
A short description of the three flaws is as follows –
- CVE-2024-13915 (CVSS rating: 6.9) – A pre-installed “com.pri.factorytest” utility on Ulefone and Krüger&Matz smartphones exposes a “com.pri.factorytest.emmc.FactoryResetService” service that permits any put in utility to carry out a manufacturing unit reset of the machine.
- CVE-2024-13916 (CVSS rating: 6.9) – A pre-installed “com.pri.applock” utility on Kruger&Matz smartphones permits a person to encrypt any utility utilizing user-provided PIN code or by utilizing biometric knowledge. The app additionally exposes a “com.android.suppliers.settings.fingerprint.PriFpShareProvider” content material supplier’s “question()” technique that allows any malicious app already put in on the machine by another means to exfiltrate the PIN code.
- CVE-2024-13917 (CVSS rating: 8.3) – A pre-installed “com.pri.applock” utility on Kruger&Matz smartphones uncovered an “com.pri.applock.LockUI” exercise that permits another malicious utility, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected utility.
Whereas exploiting CVE-2024-13917 requires an adversary to know the protective PIN quantity, it may very well be chained with CVE-2024-13916 to leak the PIN code.
CERT Polska, which detailed the vulnerabilities, credited Szymon Chadam for responsibly disclosing them. Nevertheless, the precise patch standing of those flaws stay unclear. The Hacker Information has reached out to each Ulefone and Krüger&Matz for added remark and we’ll replace the story if we hear again.
