Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection

Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection

Significant vulnerabilities were uncovered in pre-installed applications on Ulefone and Krüger&Matz Android smartphones that expose users to significant risks, including unauthorized factory resets, PIN code theft, and malicious command injection. 

These flaws, published on May 30, 2025, demonstrate how Improper Export of Android Application Components (CWE-926) can compromise device security at the system level.

Factory Reset Flaw

Three distinct vulnerabilities have been identified affecting preloaded applications on these smartphone brands. 

Google News

According to CERT Polska, CVE-2024-13915 targets the com.pri.factorytest application, which is preinstalled during the manufacturing process on both Ulefone and Krüger&Matz devices. 

This vulnerability exposes the com.pri.factorytest.emmc.FactoryResetService service, allowing any third-party application installed on the device to perform an unauthorized factory reset without requiring special permissions.

Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection

The vulnerability affects version 1.0 of the factory test application, with updates being bundled into OS builds released after December 2024 for Ulefone devices and likely after March 2025 for Krüger&Matz smartphones. 

The exposed service is defined in the AndroidManifest.xml file with improper export settings, creating a significant attack vector for malicious applications.

PIN Code Theft and Intent Injection Attacks

The most concerning vulnerabilities affect the com.pri.applock application on Krüger&Matz smartphones, which is designed to encrypt applications using PIN codes or biometric data. 

CVE-2024-13916 exploits an exposed content provider called com.android.providers.settings.fingerprint.PriFpShareProvider. 

Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection

The vulnerability lies in the public query() method, which allows malicious applications to exfiltrate user PIN codes without requiring any Android system permissions.

CVE-2024-13917 represents an even more severe threat, affecting the exposed com.pri.applock.LockUI activity. 

Vulnerabilities in Preinstalled Android Apps Expose PIN Codes and Allow Command Injection

This vulnerability enables malicious applications to inject arbitrary intents with system-level privileges into applications protected by AppLock. 

Attackers can exploit this by either obtaining the PIN code through CVE-2024-13916 or manipulating users into providing their credentials.

Both AppLock vulnerabilities were confirmed in version 13 (version code 33) of the application, though the vendor has not provided comprehensive information about all affected versions.

The discovery was credited to security researcher Szymon Chadam, who responsibly reported the vulnerabilities to CERT Polska.

Technical analysis reveals that these vulnerabilities stem from CWE-926: Improper Export of Android Application Components. In this weakness, applications export components for use by other applications but fail to properly restrict access. 

The three main component types affected include Activities (user interfaces), Services (background operations), and Content Providers (data sharing mechanisms).

Security researchers emphasize that these flaws highlight the broader issue of inadequate security practices in pre-installed software. 

The vulnerabilities allow malicious applications to circumvent Android’s permission model, gaining unauthorized access to sensitive system functions and user data.

To prevent similar issues, developers should explicitly mark components as android:exported=”false” in the application manifest for components not intended for external use. 

For components that must be shared, implementing signature-based restrictions using android:protectionLevel=”signature” ensures access is limited to applications signed with the same certificate.

Users of affected devices should check for system updates and consider removing or disabling vulnerable preinstalled applications where possible until patches are available.

Celebrate 9 years of ANY.RUN! Unlock the full power of TI Lookup plan (100/300/600/1,000+ search requests), and your request quota will double.



Source link