Latest Cyber Security News

You are here: Home / General Cyber Security News / Preinstalled Apps on Ulefone, Krüger&Matz Phones Let Any App Reset Device, Steal PIN
June 2, 2025

Three security vulnerabilities have been disclosed in preloaded Android applications on smartphones from Ulefone and Krüger&Matz that could enable any app installed on the device to perform a factory reset and encrypt an application.

A brief description of the three flaws is as follows –

  • CVE-2024-13915 (CVSS score: 6.9) – A pre-installed “com.pri.factorytest” application on Ulefone and Krüger&Matz smartphones exposes a “com.pri.factorytest.emmc.FactoryResetService” service that allows any installed application to perform a factory reset of the device.
  • CVE-2024-13916 (CVSS score: 6.9) – A pre-installed “com.pri.applock” application on Kruger&Matz smartphones allows a user to encrypt any application using user-provided PIN code or by using biometric data. The app also exposes a “com.android.providers.settings.fingerprint.PriFpShareProvider” content provider’s “query()” method that permits any malicious app already installed on the device by some other means to exfiltrate the PIN code.
  • CVE-2024-13917 (CVSS score: 8.3) – A pre-installed “com.pri.applock” application on Kruger&Matz smartphones exposed an “com.pri.applock.LockUI” activity that allows any other malicious application, with no granted Android system permissions, to inject an arbitrary intent with system-level privileges to a protected application.

Cybersecurity

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


While exploiting CVE-2024-13917 requires an adversary to know the protecting PIN number, it could be chained with CVE-2024-13916 to leak the PIN code.

CERT Polska, which detailed the vulnerabilities, credited Szymon Chadam for responsibly disclosing them. However, the exact patch status of these flaws remain unclear. The Hacker News has reached out to both Ulefone and Krüger&Matz for additional comment and we will update the story if we hear back.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.


Some parts of this article are sourced from:
thehackernews.com

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *