Preinstalled Apps Found Exploits PIN Codes and Executing Malicious Commands

A critical security vulnerabilities affecting smartphones from Ulefone and Krüger&Matz manufacturers, revealing that preinstalled applications contain serious flaws allowing unauthorized factory resets, PIN code theft, and arbitrary command injection.

The three Common Vulnerabilities and Exposures (CVEs) published on May 30, 2025, demonstrate how vendor-installed software can create significant security risks for millions of users worldwide.

The most destructive vulnerability, CVE-2024-13915, affects the “com.pri.factorytest” application preloaded on both Ulefone and Krüger&Matz devices.

This manufacturing diagnostic tool, running version 1.0, exposes a critical service component called “com.pri.factorytest.emmc.FactoryResetService” that any installed application can exploit to trigger a complete factory reset of the device.

The vulnerability stems from improper export of Android application components, classified under CWE-926.

Any malicious application installed on affected devices can invoke this service without requiring special permissions, effectively allowing attackers to remotely wipe user data, settings, and installed applications.

This represents a catastrophic security failure where a simple malicious app download could result in complete data loss.

Ulefone has addressed this issue in OS builds released after December 2024, while Krüger&Matz likely fixed it in builds from March 2025, though the vendor has not confirmed the exact timeline.

Notably, the application update did not increment the APK version number, making it difficult for users to determine if their devices remain vulnerable.

Preinstalled Apps

CVE-2024-13916 targets the “com.pri.applock” application on Krüger&Matz smartphones, which provides app-level encryption using PIN codes or biometric authentication.

The vulnerabilities lies in an exposed content provider called “com.android.providers.settings.fingerprint.PriFpShareProvider” that makes its query() method publicly accessible.

This design flaw, categorized as CWE-497 (Exposure of Sensitive System Information), allows any malicious application to exfiltrate user PIN codes without requiring any Android system permissions.

The vulnerabilities effectively renders the app lock security feature useless, as attackers can simply read the PIN code directly from the exposed data store.

Testing confirmed that version 13 (version code: 33) contains this vulnerabilities, though Krüger&Matz has not provided information about which versions remain affected.

This represents a fundamental breach of the principle of least privilege in Android security architecture.

Privilege Escalation

The third vulnerability, CVE-2024-13917, also affects the “com.pri.applock” application and allows malicious applications to inject arbitrary intents with system-level privileges into protected applications.

The exposed “com.pri.applock.LockUI” activity creates this security gap, enabling attackers to bypass application protections.

Exploitation requires knowledge of the protecting PIN number, which attackers can obtain by exploiting CVE-2024-13916.

Once armed with the PIN, malicious applications can inject commands that execute with elevated privileges, potentially compromising device security entirely.

According to the Report, this vulnerabilities demonstrates how multiple security vulnerabilities can chain together to create devastating attack scenarios.

The combination of PIN exfiltration and arbitrary intent injection effectively neutralizes the app lock mechanism while providing attackers with system-level access.

CERT Polska credited security researcher Szymon Chadam for the responsible disclosure of these vulnerabilities, highlighting the importance of independent security research in identifying critical flaws in consumer devices.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.

The post Preinstalled Apps Found Exploits PIN Codes and Executing Malicious Commands appeared first on Cyber Security News.