Report an incident
Back
  • About us
  • For experts
Report an incident
About us
About our team Contact
Baza wiedzy
Fałszywe inwestycje Uważaj na fałszywe sklepy online (Nie)bezpieczne płatności Fałszywi konsultanci Zadbaj o bezpieczne hasła i logowanie Fałszywe załączniki w mailach Fałszywe prośby o szybki przelew Fałszywe SMSy - plaga ostatnich miesięcy
Biuletyn OUCH!
Porady bezpieczeństwa OUCH!
Projects
n6 Artemis MWDB
CVD program
CVD policy Advisories

Vulnerabilities in applications preloaded on Ulefone and Krüger&Matz smartphones
30 May 2025 | CERT Polska | #vulnerability, #warning, #cve
CVE ID CVE-2024-13915
Publication date 30 May 2025
Vendor Ulefone and Krüger&Matz
Product com.pri.factorytest
Vulnerable versions All through 1.0
Vulnerability type (CWE) Improper Export of Android Application Components (CWE-926)
Report source Report to CERT Polska
CVE ID CVE-2024-13916
Publication date 30 May 2025
Vendor Krüger&Matz
Product com.pri.applock
Vulnerable versions 13
Vulnerability type (CWE) Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497)
Report source Report to CERT Polska
CVE ID CVE-2024-13917
Publication date 30 May 2025
Vendor Krüger&Matz
Product com.pri.applock
Vulnerable versions 13
Vulnerability type (CWE) Improper Export of Android Application Components (CWE-926)
Report source Report to CERT Polska

Description

CERT Polska has received a report about vulnerabilities in applications preloaded on Ulefone and Krüger&Matz smartphones and participated in coordination of their disclosure.

The vulnerability CVE-2024-13915: Android based smartphones from vendors such as Ulefone and Krüger&Matz contain "com.pri.factorytest" application preloaded onto devices during manufacturing process. The application "com.pri.factorytest" (version name: 1.0, version code: 1) exposes a ”com.pri.factorytest.emmc.FactoryResetService“ service allowing any application to perform a factory reset of the device.  Application update did not increment the APK version. Instead, it was bundled in OS builds released later than December 2024 (Ulefone) and most probably March 2025 (Krüger&Matz, although the vendor has not confirmed it, so newer releases might be vulnerable as well).

The vulnerability CVE-2024-13916: An application "com.pri.applock", which is pre-loaded on Krüger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.android.providers.settings.fingerprint.PriFpShareProvider“ content provider's public method "query()" allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code. Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability.

The vulnerability CVE-2024-13917: An application "com.pri.applock", which is pre-loaded on Krüger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it. Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability.

Credits

We thank Szymon Chadam for the responsible vulnerability report.

More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.