Security Vulnerabilities in Preloaded Android Apps: A Closer Look
On June 2, 2025, cybersecurity researchers disclosed three significant vulnerabilities in preinstalled Android applications found on smartphones from Ulefone and Krüger&Matz. These security flaws pose potential risks, as they could allow malicious applications to execute harmful actions such as performing factory resets and encrypting other applications on users’ devices.
Overview of the Vulnerabilities
CVE-2024-13915
The first vulnerability identified is CVE-2024-13915, which carries a CVSS score of 6.9. This flaw exists in a pre-installed application named "com.pri.factorytest" on the affected Ulefone and Krüger&Matz devices. It exposes a service called "com.pri.factorytest.emmc.FactoryResetService." Due to this vulnerability, any app installed on the device can invoke this service, enabling it to perform a factory reset. This action would erase all data on the device, presenting a critical risk for users who may inadvertently download a malicious app.
CVE-2024-13916
Next is CVE-2024-13916, which also scores 6.9 on the CVSS scale. This vulnerability is linked to another pre-installed application, "com.pri.applock," found specifically on Krüger&Matz smartphones. It allows users to encrypt applications through personal identification numbers (PIN) or biometric data. The app also exposes an accessible content provider—"com.android.providers.settings.fingerprint.PriFpShareProvider"—through its "query()" method, allowing unauthorized apps to extract stored PIN codes from the device. This vulnerability could lead to unauthorized access to sensitive information, raising considerable concerns regarding user security.
CVE-2024-13917
The most severe vulnerability is CVE-2024-13917, with a CVSS score of 8.3. Like the previous vulnerabilities, this one also resides in the "com.pri.applock" application. It exposes an activity called "com.pri.applock.LockUI," which permits any malicious application—regardless of the permissions granted under the Android system—to inject an arbitrary intent with system-level privileges into a protected application. This feature could be exploited for more damaging effects when utilized in conjunction with the other vulnerabilities, particularly CVE-2024-13916.
Implications of the Vulnerabilities
While the exploitation of CVE-2024-13917 necessitates knowledge of a user’s protecting PIN, it could be used in tandem with CVE-2024-13916 to leak that very PIN. The chain reaction of these vulnerabilities poses a serious threat as they can escalate a basic infection into a more pervasive attack on user data.
Responsible Disclosure and Patch Status
CERT Polska has been instrumental in highlighting these vulnerabilities, crediting researcher Szymon Chadam for his responsible disclosure of the issues. However, the current status regarding patches or updates to address these vulnerabilities remains uncertain. Efforts are underway to reach out to both Ulefone and Krüger&Matz for further insights and to confirm whether any measures are being taken to rectify these flaws.
Given the potential impacts of these vulnerabilities, users of Ulefone and Krüger&Matz smartphones need to remain vigilant. Awareness of the apps installed on their devices and possible security updates is crucial in safeguarding against the risks associated with these vulnerabilities.
Staying Informed
As new developments emerge regarding these security issues, it’s essential for users and tech enthusiasts alike to stay informed. Following reliable sources and engaging in discussions around mobile security can help mitigate risks and promote a safer smartphone experience.
For more updates and exclusive content on mobile security, follow us on Twitter and LinkedIn.
