Smartphones from Ulefone and Krüger&Matz are shipping with preloaded apps that contain serious security flaws, potentially allowing attackers to steal PIN codes, perform unauthorized factory resets, and gain system-level access, according to a report from CERT Polska, Poland’s national computer emergency response team.
The report discloses three critical vulnerabilities, tracked as CVE-2024-13915, CVE-2024-13916, and CVE-2024-13917, all stemming from insecure implementations in pre-installed applications on budget devices from the two manufacturers.
Ulefone is a Chinese smartphone maker, and Krüger&Matz is a Polish brand known for importing mobile devices and consumer electronics.
The most severe issue, CVE-2024-13917, was found in the “com.pri.applock” app preloaded on Krüger&Matz smartphones. The app is designed to lock access to other applications using a PIN or biometric authentication. However, CERT Polska found that the app’s activity is improperly exposed, allowing a malicious app without any system permissions to inject arbitrary intents and potentially execute actions with elevated privileges.
In practical terms, this could enable an attacker to reset the phone, disable security features, or manipulate protected apps, all without user consent or elevated permissions.
While CVE-2024-13917 requires the attacker to know the user's PIN, a separate flaw, CVE-2024-13916, could be exploited to extract that PIN without needing system-level permissions. A third vulnerability, CVE-2024-13915, impacts both brands and could enable a malicious app to remotely trigger a factory reset, effectively wiping user data and rendering the device unusable until reconfigured.
