Ulefone and Krüger&Matz smartphones are sold preloaded with apps that attackers can abuse to factory reset the devices, steal PIN codes, and even gain some system-level access, according to CERT Polska’s disclosure.
Polish computer emergency response team CERT Polska has warned about three severe vulnerabilities in preloaded apps on Ulefone and Krüger&Matz smartphones.
The two brands primarily target budget-conscious consumers. Ulefone is a Chinese smartphone manufacturer, while Kruger&Matz is a Polish brand specializing in importing mobile devices and audio equipment.
The most dangerous vulnerability, with a severity rating of 8.3 out of 10, was discovered in the app lock system on Krüger&Matz smartphones.
The devices contain the “com.pri.applock” app that encrypts apps using a user-provided PIN code or biometric data. However, its activity is exposed and allows any other malicious app, with no granted Android system permissions, “to inject an arbitrary intent with system-level privileges to a protected application.”
To exploit the flaw, attackers would need to know or ask users for the PIN. However, they can abuse another flaw that affects the same app.
It “allows any other malicious application, without any granted Android system permissions, to exfiltrate the PIN code”, the CERT Polska writes in the report.
The issue is in the part of the app that allows other apps to access sensitive information about fingerprint settings – the exposed public method query().
The third flaw affects factory reset services used by both Ulefone and Krüger&Matz devices. They contain the preloaded “com.pri.factorytest” app, which exposes the factory reset service to any application on the device, allowing it to factory reset the device.
The report shows that factory-preloaded apps often have powerful components that could be accessed by other apps, but sometimes fail to properly vet which apps can launch them, or what data they can access.
Your email address will not be published. Required fields are markedmarked