CVE ID | CVE-2024-13915 |
Publication date | 30 May 2025 |
Vendor | Ulefone and Krüger&Matz |
Product | com.pri.factorytest |
Vulnerable versions | All through 1.0 |
Vulnerability type (CWE) | Improper Export of Android Application Components (CWE-926) |
Report source | Report to CERT Polska |
CVE ID | CVE-2024-13916 |
Publication date | 30 May 2025 |
Vendor | Krüger&Matz |
Product | com.pri.applock |
Vulnerable versions | 13 |
Vulnerability type (CWE) | Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) |
Report source | Report to CERT Polska |
CVE ID | CVE-2024-13917 |
Publication date | 30 May 2025 |
Vendor | Krüger&Matz |
Product | com.pri.applock |
Vulnerable versions | 13 |
Vulnerability type (CWE) | Improper Export of Android Application Components (CWE-926) |
Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerabilities in applications preloaded on Ulefone and Krüger&Matz smartphones and participated in coordination of their disclosure.
The vulnerability CVE-2024-13915: Android based smartphones from vendors such as Ulefone and Krüger&Matz contain "com.pri.factorytest" application preloaded onto devices during manufacturing process. The application "com.pri.factorytest" (version name: 1.0, version code: 1) exposes a ”com.pri.factorytest.emmc.FactoryResetService“ service allowing any application to perform a factory reset of the device. Application update did not increment the APK version. Instead, it was bundled in OS builds released later than December 2024 (Ulefone) and most probably March 2025 (Krüger&Matz, although the vendor has not confirmed it, so newer releases might be vulnerable as well).
The vulnerability CVE-2024-13916: An application "com.pri.applock", which is pre-loaded on Krüger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.android.providers.settings.fingerprint.PriFpShareProvider“ content provider's public method "query()" allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code. Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability.
The vulnerability CVE-2024-13917: An application "com.pri.applock", which is pre-loaded on Krüger&Matz smartphones, allows a user to encrypt any application using user-provided PIN code or by using biometric data. Exposed ”com.pri.applock.LockUI“ activity allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application. One must know the protecting PIN number (it might be revealed by exploiting CVE-2024-13916) or ask the user to provide it. Vendor did not provide information about vulnerable versions. Only version (version name: 13, version code: 33) was tested and confirmed to have this vulnerability.
Credits
We thank Szymon Chadam for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.