Preinstalled Android Apps Found Leaking PINs and Executing Malicious Commands
On May 30, 2025, CERT Polska coordinated the public disclosure of three significant security vulnerabilities affecting preinstalled Android applications on smartphones from Ulefone and Krüger&Matz.
These flaws, tracked as CVE-2024-13915, CVE-2024-13916, and CVE-2024-13917, expose users to risks ranging from unauthorized device resets to theft of sensitive PIN codes and privilege escalation by malicious applications.
Technical Breakdown of the Vulnerabilities
The table below summarizes the key details of the reported vulnerabilities:
| CVE ID | Product | Vendor(s) | Affected Versions | CWE Type & Description |
|---|---|---|---|---|
| CVE-2024-13915 | com.pri.factorytest | Ulefone, Krüger&Matz | All through 1.0 | CWE-926: Improper Export of Android Application Components – Unrestricted access to FactoryResetService enables factory reset by any app. |
| CVE-2024-13916 | com.pri.applock | Krüger&Matz | 13 | CWE-497: Exposure of Sensitive System Information – Malicious apps can steal the user’s PIN via an exported content provider. |
| CVE-2024-13917 | com.pri.applock | Krüger&Matz | 13 | CWE-926: Improper Export of Android Application Components – Exposed activity allows privilege escalation with knowledge of the PIN. |
Factory Reset Service Exposure
The com.pri.factorytest app, preinstalled on Ulefone and Krüger&Matz devices, exposes the com.pri.factorytest.emmc.FactoryResetService service.
Due to improper export controls, any installed application can invoke this service to perform a full factory reset, potentially wiping all user data without consent.
This vulnerability is classified under CWE-926, which describes failures to properly restrict exported Android components, allowing unauthorized app interaction.
xml
AppLock PIN Exfiltration
On Krüger&Matz devices, the com.pri.applock app is intended to secure other applications using a user PIN or biometric data.
However, the com.android.providers.settings.fingerprint.PriFpShareProvider content provider exposes a public query() method, allowing any app, without permissions, to extract the user’s PIN.
This is a classic case of CWE-497, where sensitive system information is exposed to unauthorized actors.
javaCursor cursor = getContentResolver().query(
Uri.parse("content://com.android.providers.settings.fingerprint.PriFpShareProvider"),
null, null, null, null);
// Malicious app can read PIN from cursor
Intent Injection via Exposed Activity
Also affecting com.pri.applock (version 13), An exported activity com.pri.applock.LockUI can be invoked by any application.
A malicious app can inject arbitrary intents with system-level privileges into protected apps, provided it knows the PIN (which can be stolen via CVE-2024-13916).
This is another instance of CWE-926—improper export of Android components, leading to potential privilege escalation and unauthorized access.
xml
Coordinated Disclosure and Security Implications
CERT Polska managed the responsible disclosure process, highlighting the importance of coordinated vulnerability management in the Android ecosystem.
These vulnerabilities demonstrate the critical need for strict export controls on Android components and robust protection of sensitive user data.
Users of affected devices should seek firmware updates or mitigations from vendors and remain vigilant about app permissions and unusual device behavior.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
Source link
