%20(1).webp?ssl=1 "Preinstalled Android Apps Discovered Leaking PINs and Executing Malicious Instructions")
On Might 30, 2025, CERT Polska coordinated the general public disclosure of three vital safety vulnerabilities affecting preinstalled Android purposes on smartphones from Ulefone and Krüger&Matz.
These flaws, tracked as CVE-2024-13915, CVE-2024-13916, and CVE-2024-13917, expose customers to dangers starting from unauthorized gadget resets to theft of delicate PIN codes and privilege escalation by malicious purposes.
Technical Breakdown of the Vulnerabilities
The desk under summarizes the important thing particulars of the reported vulnerabilities:
| CVE ID | Product | Vendor(s) | Affected Variations | CWE Sort & Description |
|---|---|---|---|---|
| CVE-2024-13915 | com.pri.factorytest | Ulefone, Krüger&Matz | All via 1.0 | CWE-926: Improper Export of Android Software Elements – Unrestricted entry to FactoryResetService permits manufacturing unit reset by any app. |
| CVE-2024-13916 | com.pri.applock | Krüger&Matz | 13 | CWE-497: Publicity of Delicate System Info – Malicious apps can steal the consumer’s PIN through an exported content material supplier. |
| CVE-2024-13917 | com.pri.applock | Krüger&Matz | 13 | CWE-926: Improper Export of Android Software Elements – Uncovered exercise permits privilege escalation with information of the PIN. |
Manufacturing facility Reset Service Publicity
The com.pri.factorytest app, preinstalled on Ulefone and Krüger&Matz units, exposes the com.pri.factorytest.emmc.FactoryResetService service.
On account of improper export controls, any put in utility can invoke this service to carry out a full manufacturing unit reset, probably wiping all consumer knowledge with out consent.
This vulnerability is classed beneath CWE-926, which describes failures to correctly limit exported Android parts, permitting unauthorized app interplay.
xml
AppLock PIN Exfiltration
On Krüger&Matz units, the com.pri.applock app is meant to safe different purposes utilizing a consumer PIN or biometric knowledge.
Nevertheless, the com.android.suppliers.settings.fingerprint.PriFpShareProvider content material supplier exposes a public question() methodology, permitting any app, with out permissions, to extract the consumer’s PIN.
It is a basic case of CWE-497, the place delicate system info is uncovered to unauthorized actors.
javaCursor cursor = getContentResolver().question(
Uri.parse("content material://com.android.suppliers.settings.fingerprint.PriFpShareProvider"),
null, null, null, null);
// Malicious app can learn PIN from cursor
Intent Injection through Uncovered Exercise
Additionally affecting com.pri.applock (model 13), An exported exercise com.pri.applock.LockUI might be invoked by any utility.
A malicious app can inject arbitrary intents with system-level privileges into protected apps, offered it is aware of the PIN (which might be stolen through CVE-2024-13916).
That is one other occasion of CWE-926—improper export of Android parts, resulting in potential privilege escalation and unauthorized entry.
xml
Coordinated Disclosure and Safety Implications
CERT Polska managed the accountable disclosure course of, highlighting the significance of coordinated vulnerability administration within the Android ecosystem.
These vulnerabilities display the essential want for strict export controls on Android parts and strong safety of delicate consumer knowledge.
Customers of affected units ought to search firmware updates or mitigations from distributors and stay vigilant about app permissions and weird gadget habits.
Discover this Information Fascinating! Comply with us on Google Information, LinkedIn, & X to Get Instantaneous Updates!
