Full Report
CERT Polska has received a report about 3 vulnerabilities (from CVE-2024-13915 to CVE-2024-13917) found in applications preloaded on Ulefone and Krüger&Matz smartphones.
Analysis Summary
As a vulnerability research specialist, here is the summarized, actionable intelligence for the reported flaws in Ulefone and Krüger&Matz preloaded applications:
***
# Vulnerability: Multiple Flaws in Preloaded Ulefone/Krüger&Matz Smartphone Applications
## CVE Details
| CVE ID | CVSS Score | Severity | CWE |
| :--- | :--- | :--- | :--- |
| CVE-2024-13915 | N/A | N/A | CWE-926: Improper Export of Android Application Components |
| CVE-2024-13916 | N/A | N/A | CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere |
| CVE-2024-13917 | N/A | N/A | CWE-926: Improper Export of Android Application Components |
*(Note: CVSS scores were not provided in the source material.)*
## Affected Systems
| CVE ID | Product Name | Vulnerable Versions | Configurations |
| :--- | :--- | :--- | :--- |
| CVE-2024-13915 | `com.pri.factorytest` | All through version 1.0 | Ulefone and Krüger&Matz devices (OS builds released after Dec 2024 for Ulefone, likely after Mar 2025 for Krüger&Matz) |
| CVE-2024-13916 | `com.pri.applock` | Version 13 (code 33) | Krüger&Matz smartphones |
| CVE-2024-13917 | `com.pri.applock` | Version 13 (code 33) | Krüger&Matz smartphones |
## Vulnerability Description
**CVE-2024-13915 (`com.pri.factorytest`):** The application exposes an internal service (`com.pri.factorytest.emmc.FactoryResetService`). This component is improperly exported, allowing **any installed application** on the device (without requiring special permissions) to trigger a full factory reset of the smartphone.
**CVE-2024-13916 (`com.pri.applock`):** The AppLock feature uses a content provider (`com.android.providers.settings.fingerprint.PriFpShareProvider`). A public `query()` method on this provider allows **any malicious application** access to exfiltrate the user-set PIN code used to protect other applications, even without system permissions.
**CVE-2024-13917 (`com.pri.applock`):** The AppLock component exposes an activity (`com.pri.applock.LockUI`). This allows **any malicious application** to inject an arbitrary intent with system-level privileges into a protected application. Successful exploitation requires knowing the protecting PIN (which may be obtained via CVE-2024-13916) or requiring the user to input it.
## Exploitation
| CVE ID | Status | Complexity | Attack Vector |
| :--- | :--- | :--- | :--- |
| CVE-2024-13915 | PoC available (Implied by severity of remote factory reset capability) | Low | Local (Requires installation of a secondary malicious app) |
| CVE-2024-13916 | PoC available (Implied by direct data leakage) | Low | Local (Requires installation of a secondary malicious app) |
| CVE-2024-13917 | PoC available (Implied, tied to CVE-2024-13916) | Medium (Requires knowledge of PIN or social engineering) | Local (Requires installation of a secondary malicious app) |
## Impact
| CVE ID | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2024-13915 | N/A (Direct data loss) | Complete (Device state integrity destroyed) | Complete (Device rendered inoperable/wiped) |
| CVE-2024-13916 | High (Direct theft of user PIN) | Partial (PIN used to bypass protections) | Low (Enables local privilege escalation via AppLock) |
| CVE-2024-13917 | High (If combined with 13916, could lead to unauthorized access to data) | High (Privilege escalation to access protected app functions) | Low |
## Remediation
### Patches
* **Status:** Vendors (Ulefone and Krüger&Matz) were involved in coordination, but specific patch versions or official security advisories detailing the fixes were **not provided** in this summary source.
* Users rely on forthcoming OS updates from the respective manufacturers.
### Workarounds
* **For CVE-2024-13915 (Factory Reset):** Secure access to the device environment to prevent unauthorized application installation from untrusted sources.
* **For CVE-2024-13916/13917 (AppLock Bypass):** If possible, avoid using simple PINs for the AppLock feature if using version 13 (code 33). Users should check for updates to the preinstalled applications via official channels, though base system apps are typically updated via firmware.
## Detection
* **Indicators of Compromise (IoC):** Monitoring for unexpected factory reset activity initiated by non-system processes. Look for unusual calls to system APIs related to app locking mechanisms or content provider queries originating from non-system apps.
* **Detection Methods and Tools:** Standard Android security auditing tools capable of inspecting exported components (`Activity`, `Service`, `ContentProvider`) for applications like `com.pri.factorytest` and `com.pri.applock` could reveal the vulnerable interfaces.
## References
* Vendor advisories: None provided in the summary.
* Relevant links:
* CERT Polska Report: hxxps://cert.pl/en/posts/15893/
* CVD Policy Information: hxxps://cert.pl/en/cvd/