Jun 02, 2025Ravie LakshmananMobile Safety / Vulnerability
Three safety vulnerabilities have been disclosed in preloaded Android purposes on smartphones from Ulefone and Krüger&Matz that might allow any app put in on the machine to carry out a manufacturing unit reset and encrypt an utility.
A quick description of the three flaws is as follows –
CVE-2024-13915 (CVSS rating: 6.9) – A pre-installed “com.pri.factorytest” utility on Ulefone and Krüger&Matz smartphones exposes a “com.pri.factorytest.emmc.FactoryResetService” service that enables any put in utility to carry out a manufacturing unit reset of the machine.
CVE-2024-13916 (CVSS rating: 6.9) – A pre-installed “com.pri.applock” utility on Kruger&Matz smartphones permits a person to encrypt any utility utilizing user-provided PIN code or through the use of biometric information. The app additionally exposes a “com.android.suppliers.settings.fingerprint.PriFpShareProvider” content material supplier’s “question()” technique that allows any malicious app already put in on the machine by another means to exfiltrate the PIN code.
CVE-2024-13917 (CVSS rating: 8.3) – A pre-installed “com.pri.applock” utility on Kruger&Matz smartphones uncovered an “com.pri.applock.LockUI” exercise that enables some other malicious utility, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected utility.
Whereas exploiting CVE-2024-13917 requires an adversary to know the protective PIN quantity, it might be chained with CVE-2024-13916 to leak the PIN code.
CERT Polska, which detailed the vulnerabilities, credited Szymon Chadam for responsibly disclosing them. Nonetheless, the precise patch standing of those flaws stay unclear. The Hacker Information has reached out to each Ulefone and Krüger&Matz for extra remark and we’ll replace the story if we hear again.
Discovered this text attention-grabbing? Comply with us on Twitter and LinkedIn to learn extra unique content material we put up.
