Important vulnerabilities had been uncovered in pre-installed functions on Ulefone and Krüger&Matz Android smartphones that expose customers to vital dangers, together with unauthorized manufacturing facility resets, PIN code theft, and malicious command injection.
These flaws, revealed on Could 30, 2025, reveal how Improper Export of Android Software Elements (CWE-926) can compromise machine safety on the system degree.
Manufacturing facility Reset Flaw
Three distinct vulnerabilities have been recognized affecting preloaded functions on these smartphone manufacturers.
In keeping with CERT Polska, CVE-2024-13915 targets the com.pri.factorytest utility, which is preinstalled throughout the manufacturing course of on each Ulefone and Krüger&Matz units.
This vulnerability exposes the com.pri.factorytest.emmc.FactoryResetService service, permitting any third-party utility put in on the machine to carry out an unauthorized manufacturing facility reset with out requiring particular permissions.
The vulnerability impacts model 1.0 of the manufacturing facility check utility, with updates being bundled into OS builds launched after December 2024 for Ulefone units and sure after March 2025 for Krüger&Matz smartphones.
The uncovered service is outlined within the AndroidManifest.xml file with improper export settings, creating a major assault vector for malicious functions.
PIN Code Theft and Intent Injection Assaults
Essentially the most regarding vulnerabilities have an effect on the com.pri.applock utility on Krüger&Matz smartphones, which is designed to encrypt functions utilizing PIN codes or biometric information.
CVE-2024-13916 exploits an uncovered content material supplier referred to as com.android.suppliers.settings.fingerprint.PriFpShareProvider.
The vulnerability lies within the public question() methodology, which permits malicious functions to exfiltrate person PIN codes with out requiring any Android system permissions.
CVE-2024-13917 represents an much more extreme risk, affecting the uncovered com.pri.applock.LockUI exercise.
This vulnerability allows malicious functions to inject arbitrary intents with system-level privileges into functions protected by AppLock.
Attackers can exploit this by both acquiring the PIN code via CVE-2024-13916 or manipulating customers into offering their credentials.
Each AppLock vulnerabilities had been confirmed in model 13 (model code 33) of the applying, although the seller has not offered complete details about all affected variations.
The invention was credited to safety researcher Szymon Chadam, who responsibly reported the vulnerabilities to CERT Polska.
Technical evaluation reveals that these vulnerabilities stem from CWE-926: Improper Export of Android Software Elements. On this weak spot, functions export parts to be used by different functions however fail to correctly limit entry.
The three primary element sorts affected embrace Actions (person interfaces), Providers (background operations), and Content material Suppliers (information sharing mechanisms).
Safety researchers emphasize that these flaws spotlight the broader concern of insufficient safety practices in pre-installed software program.
The vulnerabilities permit malicious functions to bypass Android’s permission mannequin, gaining unauthorized entry to delicate system capabilities and person information.
To forestall comparable points, builders ought to explicitly mark parts as android:exported=”false” within the utility manifest for parts not meant for exterior use.
For parts that should be shared, implementing signature-based restrictions utilizing android:protectionLevel=”signature” ensures entry is proscribed to functions signed with the identical certificates.
Customers of affected units ought to examine for system updates and take into account eradicating or disabling susceptible preinstalled functions the place doable till patches can be found.
Have a good time 9 years of ANY.RUN! Unlock the complete energy of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.
