Full Report
Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application. A brief description of the three flaws is as follows - CVE-2024-13915 (CVSS score: 6.9) - A pre-installed "com.pri.factorytest" application on Ulefone and
Analysis Summary
# Vulnerability: Preinstalled Apps on Ulefone/Krüger&Matz Phones Allow Factory Reset and PIN Theft
## CVE Details
- CVE ID: CVE-2024-13915, CVE-2024-13916, CVE-2024-13917
- CVSS Score: 6.9 (Medium) for CVE-2024-13915 and CVE-2024-13916. 8.3 (High) for CVE-2024-13917.
- CWE: [Not specified in source, but implied: Insecure Component Exposure, Improper Access Control]
## Affected Systems
- Products: Ulefone smartphones and Krüger&Matz smartphones.
- Versions: Specific versions were not detailed, but the vulnerability resides in preinstalled applications.
- Configurations: Affects devices with the vulnerable preinstalled packages.
## Vulnerability Description
Three distinct vulnerabilities were found in preinstalled applications distributed on Ulefone and Krüger&Matz Android devices, allowing any installed third-party app to perform malicious actions.
1. **CVE-2024-13915 (Factory Reset):** The pre-installed application package `com.pri.factorytest` exposes the `com.pri.factorytest.emmc.FactoryResetService`. Any installed application can exploit this service to trigger a complete factory reset of the phone.
2. **CVE-2024-13916 (PIN Exfiltration):** The pre-installed application `com.pri.applock` improperly protects its content provider, specifically the `com.android.providers.settings.fingerprint.PriFpShareProvider`. An attacker-controlled app can use the provider's `query()` method to exfiltrate the user's PIN code used for app locking.
3. **CVE-2024-13917 (System Privilege Intent Injection):** The pre-installed `com.pri.applock` application exposes the `com.pri.applock.LockUI` activity. This allows any malicious application, regardless of system permissions, to inject arbitrary intents with system-level privileges into a protected application (though exploitation typically requires knowing the protecting PIN). This vulnerability is primarily concerning when chained with CVE-2024-13916 to bypass the PIN requirement.
## Exploitation
- Status: Not explicitly stated as being exploited in the wild. PoC availability is implied given the specific component exposure details shared by the researcher (CERT Polska).
- Complexity: Low to Medium. CVE-2024-13915 and CVE-2024-13916 appear lower complexity as they involve direct service calls or content provider queries by any installed app. CVE-2024-13917 requires knowing the PIN to chain effectively, raising the practical complexity slightly unless chained.
- Attack Vector: Local (requires the attacker to have already installed a malicious third-party application on the device).
## Impact
- Confidentiality: High (Due to PIN exfiltration via CVE-2024-13916 and potential privilege escalation via intent injection in 13917).
- Integrity: High (Due to factory reset capability via CVE-2024-13915 and intent injection in 13917 allowing modification of other apps' states).
- Availability: High (Factory reset capability in CVE-2024-13915 results in total device data loss).
## Remediation
### Patches
- Status is currently unclear. The article mentions that The Hacker News reached out to Ulefone and Krüger&Matz, and the patch status was not confirmed at the time of reporting. Users should check for firmware or application updates from their device manufacturers.
### Workarounds
- Since the vulnerabilities involve preinstalled, likely system-level applications, robust client-side workarounds are difficult without system modification (e.g., rooting).
- **Limiting App Installs:** Users should only install applications from trusted sources (Google Play Store) to reduce the likelihood of an attacker gaining the foothold necessary to exploit these local flaws.
## Detection
- **Indicators of Compromise:** Unexpected factory resets or unauthorized changes to application lock states or PINs.
- **Detection Methods and Tools:** Analysis of running processes and installed applications for the presence of `com.pri.factorytest` and `com.pri.applock` packages. Advanced MDM or endpoint detection tools may be able to detect abnormal calls to exposed Android components (Services, Content Providers, Activities) originating from non-system applications.
## References
- Vendor advisories: None specified as released by Ulefone or Krüger&Matz in the source article.
- Relevant links - defanged:
- CERT Polska Advisory: hxxps://cert.pl/en/posts/2025/05/CVE-2024-13915/
- CVE Details (link to CVE-2024-13915): hxxps://www.cve.org/CVERecord?id=CVE-2024-13915
- CVE Details (link to CVE-2024-13916): hxxps://www.cve.org/CVERecord?id=CVE-2024-13916
- CVE Details (link to CVE-2024-13917): hxxps://www.cve.org/CVERecord?id=CVE-2024-13917