Pre-installed apps with security vulnerabilities on low-cost smartphones

IT security researchers have discovered security vulnerabilities in pre-installed apps, particularly on inexpensive smartphones from two manufacturers. These allow attackers to reset the smartphone to factory settings, block apps with a PIN or read PIN codes without authorization.

The Polish CERT has issued a warning about this in a recent article. Smartphones from Krüger&Matz and Ulefone come with pre-installed apps that open up security gaps. Both providers specialize in cheap Android smartphones that rely on cheaper processors from Mediatek, for example. Krüger&Matz is primarily active in Poland and Romania.

Vulnerabilities in cheap smartphones

The Polish CERT has reported a total of three apps with vulnerabilities. The most serious is found in “com.pri.applock”, which is used to encrypt an app with a PIN code or biometric data. Any app without requested rights in the Android system can infiltrate malicious commands with system rights. This only requires knowledge of the PIN – which can either be requested by smartphone users or obtained using the following vulnerability (CVE-2024-13917 / EUVD-2024-54616, CVSS 8.3, risk “high”).

The accessible method query() in “com.android.providers.settings.fingerprint.PriFpShareProvider” can be used to extract the PIN code from “com.pri.applock” without requesting any Android system rights (CVE-2024-13916 / EUVD-2024-54615, CVSS 6.9, risk “medium”). Both bugs affect the app in version name 13, version code 33.

Finally, the smartphones from Krüger&Matz and Ulefone come with the app “com.pri.factorytest” in version Name 1.0, version Code 1. This provides the “com.pri.factorytest.emmc.FactoryResetService” service. This enables any app to trigger a factory reset of the device(CVE-2024-13915 / EUVD-2025-16514, CVSS 6.9, risk “medium”).

The update situation is currently unclear. The Polish CERT writes that the factory test app with the same version number will be supplied in a bug-fixed version in Ulefone firmwares after December 2024. For Krüger&Matz phones, this is probably the case in firmware versions after March 2025 – but the manufacturer has not confirmed this, so newer releases may still be vulnerable. The same applies to the other two vulnerabilities, where the manufacturer has also not provided any information on the vulnerable and corrected versions. According to the manufacturer's website, the smartphones are generally equipped with rather outdated Android versions. Versions such as Android 11 can be found at Krüger&Matz – Google discontinued support for its successors Android 12 and 12L at the end of March this year, and there are no longer any security updates for them. At least no devices with Android versions older than 12 can be purchased from Ulefon.

This case is somewhat unusual, as it “only” concerns vulnerabilities in regular software that is installed on smartphones ex works. We are more familiar with cases in which malware such as Trojans are pre-installed in the firmware of such cheap Android smartphones. Cell phones infected in this way maliciously spy on their owners.

(dmk)