Critical Flaws Found in Ulefone & Krüger&Matz Phones: Factory Resets & PIN Theft Possible

Smartphones manufactured by Ulefone and Krüger&Matz have been found to harbor critical vulnerabilities within their pre-installed applications—flaws that allow any app installed on the device to perform a factory reset or gain access to encrypted app functionalities. These vulnerabilities pose a serious threat to user security, as they require neither superuser privileges nor any interaction from the device owner.

Three distinct vulnerabilities have been assigned official identifiers: CVE-2024-13915 and CVE-2024-13916, both rated 6.9 on the CVSS scale, and the more severe CVE-2024-13917, rated 8.3. All are linked to the preloaded applications com.pri.factorytest and com.pri.applock, which are bundled by default on devices from both Ulefone and Krüger&Matz.

The first flaw lies within the service com.pri.factorytest.emmc.FactoryResetService, which enables any third-party application to trigger a full factory reset of the device. An attacker exploiting this vulnerability could wipe all user data and restore the device to its original state without the owner’s consent.

The second vulnerability concerns the encryption of applications via PIN code or biometric authentication. The component com.android.providers.settings.fingerprint.PriFpShareProvider, embedded within the com.pri.applock app, exposes a query() method that allows external applications to extract the PIN used to secure other apps.

The most critical issue allows the injection of arbitrary system-level intents into the protected com.pri.applock.LockUI activity. Although this exploit requires knowledge of the user’s PIN code, it can be readily combined with the previous vulnerability to retrieve the PIN, effectively nullifying any authentication barrier.

The discovery and responsible disclosure of these vulnerabilities were undertaken by the CERT Polska team, with cybersecurity researcher Szymon Hadam credited as the author of the findings. As of now, no official confirmation has been provided regarding the release of patches—though both Ulefone and Krüger&Matz have been notified, they have not communicated any remediation plans.

This incident underscores the reality that even newly released smartphones, which users often assume to be secure due to up-to-date operating systems and advanced security features, can be compromised through flaws in pre-installed services. Experts strongly advise users to scrutinize the security of bundled applications and remain alert to updates addressing newly discovered threats.