Android Firmware Vulnerabilities - November 2019

Overview

Pre-installed apps and firmware pose a risk due to vulnerabilities that can be pre-positioned on a device, rendering the device vulnerable on purchase. To quantify the exposure of the Android end-users to vulnerabilities residing within pre-installed apps and firmware, we analyzed a wide range of Android vendors and carriers using devices spanning from low-end to flagship. Our primary focus was exposing pre-positioned threats on Android devices sold by United States (US) carriers, although our results affect devices worldwide.

Mitigation

Utilizing Kryptowire’s automated firmware scanning tools we are able to provide up to date detection of these vulnerabilities as new firmware and devices are introduced into your organization. To request more information about our firmware scanning service please click the link below.

Vulnerability Types

146

Total CVEs

29

Vendors

Affected Vendors

CVE Details

 

CVEViolationManufacturerModelStatusPackage NameApp Version CodeApp Version NameOS VersionDevice Build FingerprintCVE Info
CVE-2019-15357System Properties ModificationAdvani6AExploitable by local appcom.mediatek.wfo.impl8.1ADVAN/i6A/i6A:8.1.0/O11019/1523602705:userdebug/test-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Advan

Affected product: Product=Advan i6A, Version=ADVAN/i6A/i6A:8.1.0/O11019/1523602705:userdebug/test-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Advan i6A Android device with a build fingerprint of ADVAN/i6A/i6A:8.1.0/O11019/1523602705:userdebug/test-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15383System Properties ModificationAllviewX5Exploitable by local appcom.mediatek.wfo.impl8.1ALLVIEW/X5_Soul_Mini/X5_Soul_Mini:8.1.0/O11019/1522468763:userdebug/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Allview

Affected product: Product=Allview X5, Version=ALLVIEW/X5_Soul_Mini/X5_Soul_Mini:8.1.0/O11019/1522468763:userdebug/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Allview X5 Android device with a build fingerprint of ALLVIEW/X5_Soul_Mini/X5_Soul_Mini:8.1.0/O11019/1522468763:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15387Wireless Settings ModificationArchosCore 101Exploitable by local appcom.roco.autogen118.1archos/MTKAC101CR3G_ARCHOS/ac101cr3g:7.0/NRD90M/20180611.034442:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Archos

Affected product: Product=Archos Core 101, Version=archos/MTKAC101CR3G_ARCHOS/ac101cr3g:7.0/NRD90M/20180611.034442:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.roco.autogen with a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The The Archos Core 101 Android device with a build fingerprint of archos/MTKAC101CR3G_ARCHOS/ac101cr3g:7.0/NRD90M/20180611.034442:user/release-keys contains a pre-installed app with a package name of com.roco.autogen app (versionCode=1, versionName=1) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15391System Properties ModificationAsusASUS_X00LDExploitable by local appcom.log.logservice118.1.0asus/WW_Phone/ASUS_X00LD_1:8.1.0/OPM1.171019.011/15.0400.1809.405-0:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=Asus ZenFone 4 Selfie, Version=asus/WW_Phone/ASUS_X00LD_1:8.1.0/OPM1.171019.011/15.0400.1809.405-0:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.log.logservice with a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.log.logservice to obtain a capability that a third-party app cannot directly be granted.

Description: The Asus ZenFone 4 Selfie Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_1:8.1.0/OPM1.171019.011/15.0400.1809.405-0:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15392System Properties ModificationAsusASUS_X00TDExploitable by local appcom.log.logservice11Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=Asus ZenFone Max Pro, Version=Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.log.logservice with a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.log.logservice to obtain a capability that a third-party app cannot directly be granted.

Description: The Asus ZenFone 4 Selfie Android device with a build fingerprint of Android/sdm660_64/sdm660_64:8.1.0/OPM1/14.2016.1802.247-20180419:user/release-keys contains a pre-installed app with a package name of com.log.logservice app (versionCode=1, versionName=1) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15393Wireless Settings ModificationAsusZenFone LiveExploitable by local appcom.asus.atd.smmitest117.1.1asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone Live, Version=asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.atd.smmitest having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.asus.atd.smmitest to obtain a capability that would otherwise require a permission.

Description: The Asus ZenFone Live Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15394Wireless Settings ModificationAsusZenFone 5 SelfieExploitable by local appcom.asus.atd.smmitest117.1.1asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 5 Selfie, Version=asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.atd.smmitest having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.asus.atd.smmitest to obtain a capability that would otherwise require a permission.

Description: The Asus ZenFone 5 Selfie Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys contains a pre-installed app with a package name of com.asus.atd.smmitest app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15395Command ExecutionAsusZenFone 3s MaxExploitable by system or signature appcom.asus.loguploaderproxy15700000157.0.0.3_1612227asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 3s Max, Version=asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.3_161222 and version code of 1570000015.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 3s Max Android device with a build fingerprint of asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15396Command ExecutionAsusZenFone 3Exploitable by system or signature appcom.asus.loguploaderproxy15700000157.0.0.3_1612227asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.1708.56-20170719:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 3, Version=asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.1708.56-20170719:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.3_161222 and version code of 1570000015.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 3 Android device with a build fingerprint of asus/WW_Phone/ASUS_Z012D:7.0/NRD90M/14.2020.1708.56-20170719:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15397Command ExecutionAsusZenFone Max 4Exploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1803.373-20180308:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone Max 4, Version=asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1803.373-20180308:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone Max 4 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1803.373-20180308:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15398Command ExecutionAsusZenFone 4 SelfieExploitable by system or signature appcom.asus.loguploaderproxy15700000157.0.0.3_1612227.1.1asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_user_11.40.208.77_20170922:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 4 Selfie, Version=asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_user_11.40.208.77_20170922:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.3_161222 and version code of 1570000015.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 4 Selfie Android device with a build fingerprint of asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_user_11.40.208.77_20170922:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15399Command ExecutionAsusZenFone 5QExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017asus/WW_Phone/ASUS_X018D:7.0/NRD90M/14.02.1712.29-20171227:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 5Q, Version=asus/WW_Phone/ASUS_X018D:7.0/NRD90M/14.02.1712.29-20171227:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW_Phone/ASUS_X018D:7.0/NRD90M/14.02.1712.29-20171227:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15400Command ExecutionAsusZenFone 3 UltraExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 3 Ultra, Version=asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 3 Ultra Android device with a build fingerprint of asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15401Command ExecutionAsusASUS_A002Exploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ASUS_A002, Version=asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ASUS_A002 Android device with a build fingerprint of asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15402Command ExecutionAsusASUS_A002_2Exploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017asus/WW_ASUS_A002_2/ASUS_A002_2:7.0/NRD90M/14.1610.1802.18-20180321:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ASUS_A002_2, Version=asus/WW_ASUS_A002_2/ASUS_A002_2:7.0/NRD90M/14.1610.1802.18-20180321:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ASUS_A002_2 Android device with a build fingerprint of asus/WW_ASUS_A002_2/ASUS_A002_2:7.0/NRD90M/14.1610.1802.18-20180321:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15403Command ExecutionAsusZenFone 3s MaxExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 3s Max, Version=asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 3s Max Android device with a build fingerprint of asus/IN_X00G/ASUS_X00G_1:7.0/NRD90M/IN_X00G-14.02.1807.33-20180706:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15404Command ExecutionAsusZenFone Max 4Exploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1712.367-20171225:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone Max 4, Version=asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1712.367-20171225:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone Max 4 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00HD_4:7.1.1/NMF26F/14.2016.1712.367-20171225:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15405Command ExecutionAsusASUS_X00K_1Exploitable by system or signature appcom.asus.loguploaderproxy15700000157.0.0.3_1612227asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ASUS_X00K_1, Version=asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.3_161222 and version code of 1570000015.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15406Command ExecutionAsusASUS_X00LD_3Exploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone Live, Version=asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ASUS_X00LD_3 Android device with a build fingerprint of asus/WW_Phone/ASUS_X00LD_3:7.1.1/NMF26F/14.0400.1806.203-20180720:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15407Command ExecutionAsusASUS_X015_1Exploitable by system or signature appcom.asus.loguploaderproxy15700000157.0.0.3_1612227asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ASUS_X015_1, Version=asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.3_161222 and version code of 1570000015.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000015, versionName=7.0.0.3_161222) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15408Command ExecutionAsusZenFone 5 LiteExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 5 Lite, Version=asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 5 Lite Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_1:7.1.1/NMF26F/14.0400.1810.061-20181107:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15409Command ExecutionAsusZenFone 5QExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 5Q, Version=asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15410Command ExecutionAsusZenFone 5QExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 5Q, Version=asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 5Q Android device with a build fingerprint of asus/WW_Phone/ASUS_X017D_2:7.1.1/NGI77B/14.0400.1809.059-20181016:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15411Command ExecutionAsusZenFone 3 LaserExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keysasus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 3 Laser, Version=asus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keysasus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 3 Laser Android device with a build fingerprint of asus/WW_msm8937/msm8937:7.1.1/NMF26F/WW_32.40.106.114_20180928:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15412Command ExecutionAsusZenFone 4 SelfieExploitable by system or signature appcom.asus.loguploaderproxy15700000207.0.0.4_1709017.1.1asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_71.50.395.57_20180913:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 4 Selfie, Version=asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_71.50.395.57_20180913:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.loguploaderproxy having a version name of 7.0.0.4_170901 and version code of 1570000020.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 4 Selfie Android device with a build fingerprint of asus/WW_Z01M/ASUS_Z01M_1:7.1.1/NMF26F/WW_71.50.395.57_20180913:user/release-keys contains a pre-installed app with a package name of com.asus.loguploaderproxy app (versionCode=1570000020, versionName=7.0.0.4_170901) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15413Command ExecutionAsusZenFone 3 UltraExploitable by system or signature appcom.asus.splendidcommandagent15102001051.2.0.21_1806057asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone 3 Ultra, Version=asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.splendidcommandagent having a version name of 1.2.0.21_180605 and version code of 1510200105.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone 3 Ultra Android device with a build fingerprint of asus/WW_Phone/ASUS_A001:7.0/NRD90M/14.1010.1804.75-20180612:user/release-keys contains a pre-installed app with a package name of com.asus.splendidcommandagent app (versionCode=1510200105, versionName=1.2.0.21_180605) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15414Command ExecutionAsusZenFone ARExploitable by system or signature appcom.asus.splendidcommandagent15102001051.2.0.21_1806057asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ZenFone AR, Version=asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.asus.splendidcommandagent having a version name of 1.2.0.21_180605 and version code of 1510200105.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Asus ZenFone AR Android device with a build fingerprint of asus/WW_ASUS_A002/ASUS_A002:7.0/NRD90M/14.1600.1805.51-20180626:user/release-keys contains a pre-installed app with a package name of com.asus.splendidcommandagent app (versionCode=1510200105, versionName=1.2.0.21_180605) that allows other pre-installed apps to perform command execution via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15418Command ExecutionAsusASUS_X00K_1Exploitable by local appcom.lovelyfont.defcontainer55.0.17asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ASUS_X00K_1, Version=asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.lovelyfont.defcontainer having a version name of 5.0.1 and version code of 5.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.lovelyfont.defcontainer to obtain a capability that would otherwise require a permission.

Description: The Asus ASUS_X00K_1 Android device with a build fingerprint of asus/CN_X00K/ASUS_X00K_1:7.0/NRD90M/CN_X00K-14.01.1711.27-20180420:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15419Command ExecutionAsusASUS_X015_1Exploitable by local appcom.lovelyfont.defcontainer55.0.17asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Asus

Affected product: Product=ASUS_X015_1, Version=asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.lovelyfont.defcontainer having a version name of 5.0.1 and version code of 5.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.lovelyfont.defcontainer to obtain a capability that would otherwise require a permission.

Description: The Asus ASUS_X015_1 Android device with a build fingerprint of asus/CN_X015/ASUS_X015_1:7.0/NRD90M/CN_X015-14.00.1709.35-20171215:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=5, versionName=5.0.1) that allows unauthorized command execution via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15420Wireless Settings ModificationBlackviewBV9000Pro-FExploitable by local appcom.mediatek.factorymode117Blackview/BV9000Pro-F/BV9000Pro-F:7.1.1/N4F26M/1514363110:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Blackview

Affected product: Product=BV9000Pro-F, Version=Blackview/BV9000Pro-F/BV9000Pro-F:7.1.1/N4F26M/1514363110:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.factorymode having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.factorymode to obtain a capability that would otherwise require a permission.

Description: The Blackview BV9000Pro-F Android device with a build fingerprint of Blackview/BV9000Pro-F/BV9000Pro-F:7.1.1/N4F26M/1514363110:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15421Wireless Settings ModificationBlackviewBV7000_ProExploitable by local appcom.mediatek.factorymode117.1Blackview/BV7000_Pro/BV7000_Pro:7.0/NRD90M/1493011204:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Blackview

Affected product: Product=BV7000_Pro, Version=Blackview/BV7000_Pro/BV7000_Pro:7.0/NRD90M/1493011204:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.factorymode having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.factorymode to obtain a capability that would otherwise require a permission.

Description: The Blackview BV7000_Pro Android device with a build fingerprint of Blackview/BV7000_Pro/BV7000_Pro:7.0/NRD90M/1493011204:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15423Wireless Settings ModificationBlubooBluboo_S1Exploitable by local appcom.mediatek.factorymode117BLUBOO/Bluboo_S1/Bluboo_S1:7.0/NRD90M/1495809471:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Bluboo

Affected product: Product=Bluboo_S1, Version=BLUBOO/Bluboo_S1/Bluboo_S1:7.0/NRD90M/1495809471:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.factorymode having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.factorymode to obtain a capability that would otherwise require a permission.

Description: The Bluboo Bluboo_S1 Android device with a build fingerprint of BLUBOO/Bluboo_S1/Bluboo_S1:7.0/NRD90M/1495809471:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15430System Properties ModificationBlubooD3 ProExploitable by system or signature appcom.qiku.cleaner22.0.0_VER_325165082955157BLUBOO/Bluboo_D2_Pro/Bluboo_D2_Pro:7.0/NRD90M/1510370501:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Bluboo

Affected product: Product=D3 Pro, Version=BLUBOO/Bluboo_D2_Pro/Bluboo_D2_Pro:7.0/NRD90M/1510370501:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qiku.cleaner having a version name of 2.0.0_VER_32516508295515 and version code of 2.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Bluboo D3 Pro Android device with a build fingerprint of BLUBOO/Bluboo_D2_Pro/Bluboo_D2_Pro:7.0/NRD90M/1510370501:user/release-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0.0_VER_32516508295515) that allows other pre-installed apps to perform system properties modification via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15381System Properties ModificationBQ5515LExploitable by local appcom.mediatek.wfo.implnullnull8.1BQru/BQru-5515L/BQru-5515L:8.1.0/O11019/20180409.195525:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: BQ

Affected product: Product=BQ 5515L, Version=BQru/BQru-5515L/BQru-5515L:8.1.0/O11019/20180409.195525:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The BQ 5515L Android device with a build fingerprint of BQru/BQru-5515L/BQru-5515L:8.1.0/O11019/20180409.195525:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15377System Properties ModificationCherryFlare S7Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Cherry_Mobile/Flare_S7_Deluxe/Flare_S7_Deluxe:8.1.0/O11019/1533920920:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Cherry

Affected product: Product=Cherry Flare S7, Version=Cherry_Mobile/Flare_S7_Deluxe/Flare_S7_Deluxe:8.1.0/O11019/1533920920:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Cherry Flare S7 Android device with a build fingerprint of Cherry_Mobile/Flare_S7_Deluxe/Flare_S7_Deluxe:8.1.0/O11019/1533920920:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15352System Properties ModificationCoolpad1851Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Coolpad

Affected product: Product=Coolpad 1851, Version=Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15353System Properties ModificationCoolpadN3CExploitable by local appcom.mediatek.wfo.impl278.1.08.1Coolpad/N3C/N3C:8.1.0/O11019/1538236809:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Coolpad

Affected product: Product=Coolpad N3C, Version=Coolpad/N3C/N3C:8.1.0/O11019/1538236809:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Coolpad N3C Android device with a build fingerprint of Coolpad/N3C/N3C:8.1.0/O11019/1538236809:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15368System Properties ModificationCoolpad1851Exploitable by local appcom.mediatek.wfo.impl278.1.08.1.0Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Coolpad

Affected product: Product=Coolpad 1851, Version=Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15388Command ExecutionCoolpad1851Exploitable by local appcom.valmul.defcontainer77.1.138.1Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Coolpad

Affected product: Product=Coolpad 1851, Version=Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys

Attack type: Context-Dependent

Impact: Escalation of Privileges

Affected component: A pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13) containing an exported service app component named com.lovelyfont.manager.FontCoverService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attack app is a malicious app without malicious permissions. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app.

Description: The Coolpad 1851 Android device with a build fingerprint of Coolpad/android/android:8.1.0/O11019/1534834761:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15382System Properties ModificationCubotNovaExploitable by local appcom.mediatek.wfo.impl278.1.08.1CUBOT/CUBOT_NOVA/CUBOT_NOVA:8.1.0/O11019/1527060122:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Cubot

Affected product: Product=Cubot Nova, Version=CUBOT/CUBOT_NOVA/CUBOT_NOVA:8.1.0/O11019/1527060122:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Cubot Nova Android device with a build fingerprint of CUBOT/CUBOT_NOVA/CUBOT_NOVA:8.1.0/O11019/1527060122:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15358System Properties ModificationDexpZ250Exploitable by local appcom.mediatek.wfo.impl278.1.08.1DEXP/Z250/Z250:8.1.0/O11019/1531130719:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Dexp

Affected product: Product=Dexp Z250, Version=DEXP/Z250/Z250:8.1.0/O11019/1531130719:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Dexp Z250 Android device with a build fingerprint of DEXP/Z250/Z250:8.1.0/O11019/1531130719:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15364System Properties ModificationDexpBL250Exploitable by local appcom.mediatek.wfo.impl278.1.08.1DEXP/BL250/BL250:8.1.0/O11019/1530858027:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Dexp

Affected product: Product=Dexp BL250, Version=DEXP/BL250/BL250:8.1.0/O11019/1530858027:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Dexp BL250 Android device with a build fingerprint of DEXP/BL250/BL250:8.1.0/O11019/1530858027:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15422Wireless Settings ModificationDoogeeMixExploitable by local appcom.mediatek.factorymode117DOOGEE/MIX/MIX:7.0/NRD90M/1495809471:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Doogee

Affected product: Product=Mix, Version=DOOGEE/MIX/MIX:7.0/NRD90M/1495809471:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.factorymode having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.factorymode to obtain a capability that would otherwise require a permission.

Description: The Doogee Mix Android device with a build fingerprint of DOOGEE/MIX/MIX:7.0/NRD90M/1495809471:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15424Wireless Settings ModificationDoogeeBL5000Exploitable by local appcom.mediatek.factorymode117DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Doogee

Affected product: Product=BL5000, Version=DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.factorymode having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.factorymode to obtain a capability that would otherwise require a permission.

Description: The Doogee BL5000 Android device with a build fingerprint of DOOGEE/BL5000/BL5000:7.0/NRD90M/1497072355:user/release-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15384System Properties ModificationElephoneA4Exploitable by local appcom.mediatek.wfo.impl278.1.08.0.0Elephone/A4/A4:8.1.0/O11019/20180530.143559:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Elephone

Affected product: Product=Elephone A4, Version=Elephone/A4/A4:8.1.0/O11019/20180530.143559:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Elephone A4 Android device with a build fingerprint of Elephone/A4/A4:8.1.0/O11019/20180530.143559:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15431System Properties ModificationEvercossU50AExploitable by system or signature appcom.qiku.cleaner22.0_VER_2017.04.21_17:55:557EVERCOSS/U50A./EVERCOSS:7.0/NRD90M/1499911028:eng/test-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Evercoss

Affected product: Product=U50A, Version=EVERCOSS/U50A./EVERCOSS:7.0/NRD90M/1499911028:eng/test-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qiku.cleaner having a version name of 2.0_VER_2017.04.21_17:55:55 and version code of 2.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Evercoss U50A Android device with a build fingerprint of EVERCOSS/U50A./EVERCOSS:7.0/NRD90M/1499911028:eng/test-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0_VER_2017.04.21_17:55:55) that allows other pre-installed apps to perform system properties modification via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15432System Properties ModificationEvercossU6Exploitable by system or signature appcom.qiku.cleaner22.0.0_VER_325164862840947EVERCOSS/U6/U6:7.0/NRD90M/1504236704:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Evercoss

Affected product: Product=U6, Version=EVERCOSS/U6/U6:7.0/NRD90M/1504236704:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qiku.cleaner having a version name of 2.0.0_VER_32516486284094 and version code of 2.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Evercoss U6 Android device with a build fingerprint of EVERCOSS/U6/U6:7.0/NRD90M/1504236704:user/release-keys contains a pre-installed app with a package name of com.qiku.cleaner app (versionCode=2, versionName=2.0.0_VER_32516486284094) that allows other pre-installed apps to perform system properties modification via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15380System Properties ModificationFlyPhoto ProExploitable by local appcom.mediatek.wfo.impl278.1.08.1Fly/PhotoPro/Photo_Pro:8.1.0/O11019/1528117003:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Fly

Affected product: Product=Fly Photo Pro, Version=Fly/PhotoPro/Photo_Pro:8.1.0/O11019/1528117003:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Fly Photo Pro Android device with a build fingerprint of Fly/PhotoPro/Photo_Pro:8.1.0/O11019/1528117003:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15390System Properties ModificationHaierG8Exploitable by local appcom.qiku.service.container51.03.00_VER_325259832989848.1Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Haier

Affected product: Product=Haier G8, Version=Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qiku.service.container with a version name of 1.03.00_VER_32525983298984 and version code of 5.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.qiku.service.container to obtain a capability that a third-party app cannot directly be granted.

Description: The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keys contains a pre-installed app with a package name of com.qiku.service.container app (versionCode=5, versionName=1.03.00_VER_32525983298984) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15359System Properties ModificationHaierA6Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Haier

Affected product: Product=Haier A6, Version=Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15367System Properties ModificationHaierP10Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Haier/P10/P10:8.1.0/O11019/1532662449:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Haier

Affected product: Product=Haier P10, Version=Haier/P10/P10:8.1.0/O11019/1532662449:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Haier P10 Android device with a build fingerprint of Haier/P10/P10:8.1.0/O11019/1532662449:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15370System Properties ModificationHaierG8Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Haier/HM-G559-FL/G8:8.1.0/O11019/1526527761:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Haier

Affected product: Product=Haier G8, Version=Haier/HM-G559-FL/G8:8.1.0/O11019/1526527761:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1526527761:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15375System Properties ModificationHaierG8Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Haier

Affected product: Product=Haier G8, Version=Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Haier G8 Android device with a build fingerprint of Haier/HM-G559-FL/G8:8.1.0/O11019/1522294799:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15389Command ExecutionHaierA6Exploitable by local appcom.lovelyfont.defcontainer77.1.138.1Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Haier

Affected product: Product=Haier A6, Version=Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys

Attack type: Context-Dependent

Impact: Escalation of Privileges

Affected component: A pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13) containing an exported service app component named com.lovelyfont.manager.FontCoverService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attack app is a malicious app without malicious permissions. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app.

Description: The Haier A6 Android device with a build fingerprint of Haier/A6/A6:8.1.0/O11019/1534219877:userdebug/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.1.13). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15360System Properties ModificationHisenseU965Exploitable by local appcom.mediatek.wfo.implnullnull8.1Hisense/U965_4G_10/HS6739MT:8.1.0/O11019/Hisense_U965_4G_10_S01:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Hisense

Affected product: Product=Hisense U965, Version=Hisense/U965_4G_10/HS6739MT:8.1.0/O11019/Hisense_U965_4G_10_S01:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Hisense U965 Android device with a build fingerprint of Hisense/U965_4G_10/HS6739MT:8.1.0/O11019/Hisense_U965_4G_10_S01:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15372System Properties ModificationHisenseF17Exploitable by local appcom.mediatek.wfo.implnullnull8.1Hisense/F17_4G/HS6739MT:8.1.0/O11019/Hisense_F17_4G_00_S01:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Hisense

Affected product: Product=Hisense F17, Version=Hisense/F17_4G/HS6739MT:8.1.0/O11019/Hisense_F17_4G_00_S01:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Hisense F17 Android device with a build fingerprint of Hisense/F17_4G/HS6739MT:8.1.0/O11019/Hisense_F17_4G_00_S01:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15361System Properties ModificationInfinixNote 5Exploitable by local appcom.mediatek.wfo.impl278.1.08Infinix/H632C/Infinix-X605_sprout:8.1.0/O11019/CE-180914V59:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Infinix

Affected product: Product=Infinix Note 5, Version=Infinix/H632C/Infinix-X605_sprout:8.1.0/O11019/CE-180914V59:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Infinix Note 5 Android device with a build fingerprint of Infinix/H632C/Infinix-X605_sprout:8.1.0/O11019/CE-180914V59:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15366System Properties ModificationInfinixNote 5Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Infinix/H633IJL/Infinix-X604_sprout:8.1.0/O11019/IJL-180531V181:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Infinix

Affected product: Product=Infinix Note 5, Version=Infinix/H633IJL/Infinix-X604_sprout:8.1.0/O11019/IJL-180531V181:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Infinix Note 5 Android device with a build fingerprint of Infinix/H633IJL/Infinix-X604_sprout:8.1.0/O11019/IJL-180531V181:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15385System Properties ModificationInfinixNote 5Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Infinix/H633B/Infinix-X604_sprout:8.1.0/O11019/L-IN-180206V64:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Infinix

Affected product: Product=Infinix Note 5, Version=Infinix/H633B/Infinix-X604_sprout:8.1.0/O11019/L-IN-180206V64:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Infinix Note 5 Android device with a build fingerprint of Infinix/H633B/Infinix-X604_sprout:8.1.0/O11019/L-IN-180206V64:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15425Wireless Settings ModificationKataM4sExploitable by local appcom.mediatek.factorymode117alps/full_hct6750_66_n/hct6750_66_n:7.0/NRD90M/1495624556:user/test-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Kata

Affected product: Product=M4s, Version=alps/full_hct6750_66_n/hct6750_66_n:7.0/NRD90M/1495624556:user/test-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.factorymode having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.factorymode to obtain a capability that would otherwise require a permission.

Description: The Kata M4s Android device with a build fingerprint of alps/full_hct6750_66_n/hct6750_66_n:7.0/NRD90M/1495624556:user/test-keys contains a pre-installed app with a package name of com.mediatek.factorymode app (versionCode=1, versionName=1) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15332Wireless Settings ModificationLavaZ61Exploitable by local appcom.android.lava.powersave400v4.0.278.0.0LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z61, Version=LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.27 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Z61 Android device with a build fingerprint of LAVA/Z61_2GB/Z61_2GB:8.1.0/O11019/1533889281:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15333Wireless Settings ModificationLavaFlair Z1Exploitable by local appcom.android.lava.powersave400v4.0.278.1LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Flair Z1, Version=LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.27 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15334Wireless Settings ModificationLavaIris 88 GoExploitable by local appcom.android.lava.powersave400v4.0.278.1LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Iris 88 Go, Version=LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.27 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15335Wireless Settings ModificationLavaZ92Exploitable by local appcom.android.lava.powersave400v4.0.278.1LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z92, Version=LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.27 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15336Wireless Settings ModificationLavaZ61 TurboExploitable by local appcom.android.lava.powersave400v4.0.278.1LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z61 Turbo, Version=LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.27 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15337Wireless Settings ModificationLavaZ81Exploitable by local appcom.android.lava.powersave400v4.0.318.1LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z81 Turbo, Version=LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.31 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Z81 Android device with a build fingerprint of LAVA/Z81/Z81:8.1.0/O11019/1532317309:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.31) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15338Wireless Settings ModificationLavaIris 88 LiteExploitable by local appcom.android.lava.powersave400v4.0.278.1LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Iris 88 Lite, Version=LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.27 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15339Wireless Settings ModificationLavaZ60sExploitable by local appcom.android.lava.powersave400v4.0.278.1LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z60s, Version=LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.android.lava.powersave with a version name of v4.0.27 and version code of 400.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.android.lava.powersave to obtain a capability that would otherwise require a permission.

Description: The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.android.lava.powersave app (versionCode=400, versionName=v4.0.27) that allows any app co-located on the device to programmatically disable and enable Wi-Fi without the corresponding access permission through an exported interface.
CVE-2019-15356System Properties ModificationLavaFlair Z1Exploitable by local appcom.mediatek.wfo.impl278.1.08.1LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Flair Z1, Version=LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Lava Flair Z1 Android device with a build fingerprint of LAVA/Z1/Z1:8.1.0/O11019/1536680131:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15362System Properties ModificationLavaIris 88 GoExploitable by local appcom.mediatek.wfo.impl278.1.08.1LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Iris 88 Go, Version=LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Lava Iris 88 Go Android device with a build fingerprint of LAVA/iris88_go/iris88_go:8.1.0/O11019/1538188945:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15365System Properties ModificationLavaZ92Exploitable by local appcom.mediatek.wfo.impl278.1.08.1LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z92, Version=LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Lava Z92 Android device with a build fingerprint of LAVA/Z92/Z92:8.1.0/O11019/1535088037:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15369System Properties ModificationLavaZ61 TurboExploitable by local appcom.mediatek.wfo.impl278.1.08.1LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z61 Turbo, Version=LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Lava Z61 Turbo Android device with a build fingerprint of LAVA/Z61_Turbo/Z61_Turbo:8.1.0/O11019/1536917928:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15374System Properties ModificationLavaIris 88 LiteExploitable by local appcom.mediatek.wfo.impl278.1.08.1LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Iris 88 Lite, Version=LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Lava Iris 88 Lite Android device with a build fingerprint of LAVA/iris88_lite/iris88_lite:8.1.0/O11019/1536323070:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15386System Properties ModificationLavaZ60sExploitable by local appcom.mediatek.wfo.impl278.1.08.1LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Lava

Affected product: Product=Lava Z60s, Version=LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Lava Z60s Android device with a build fingerprint of LAVA/Z60s/Z60s:8.1.0/O11019/1530331229:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15363System Properties ModificationLeagooPower 5Exploitable by local appcom.mediatek.wfo.impl278.1.08.1LEAGOO/Power_5/Power_5:8.1.0/O11019/1532686195:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Leagoo

Affected product: Product=Leagoo Power 5, Version=LEAGOO/Power_5/Power_5:8.1.0/O11019/1532686195:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Leagoo Power 5 Android device with a build fingerprint of LEAGOO/Power_5/Power_5:8.1.0/O11019/1532686195:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15376System Properties ModificationPanasonicEluga Ray 530Exploitable by local appcom.mediatek.wfo.impl278.1.08.0.0Panasonic/ELUGA_Ray_530/ELUGA_Ray_530:8.1.0/O11019/1531828974:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Panasonic

Affected product: Product=Panasonic Eluga Ray 530, Version=Panasonic/ELUGA_Ray_530/ELUGA_Ray_530:8.1.0/O11019/1531828974:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Panasonic Eluga Ray 530 Android device with a build fingerprint of Panasonic/ELUGA_Ray_530/ELUGA_Ray_530:8.1.0/O11019/1531828974:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15378System Properties ModificationPanasonicEluga Ray 600Exploitable by local appcom.mediatek.wfo.impl278.1.08.0.0Panasonic/ELUGA_Ray_600/ELUGA_Ray_600:8.1.0/O11019/1532692680:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Panasonic

Affected product: Product=Panasonic Eluga Ray 600, Version=Panasonic/ELUGA_Ray_600/ELUGA_Ray_600:8.1.0/O11019/1532692680:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Panasonic Eluga Ray 600 Android device with a build fingerprint of Panasonic/ELUGA_Ray_600/ELUGA_Ray_600:8.1.0/O11019/1532692680:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15429Attacker-controlled AT CommandPanasonicELUGA_I9Exploitable by local appcom.ovvi.modem117Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Panasonic

Affected product: Product=ELUGA_I9, Version=Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.ovvi.modem having a version name of 1 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.ovvi.modem to obtain a capability that would otherwise require a permission.

Description: The Panasonic ELUGA_I9 Android device with a build fingerprint of Panasonic/ELUGA_I9/ELUGA_I9:7.0/NRD90M/1501740649:user/release-keys contains a pre-installed app with a package name of com.ovvi.modem app (versionCode=1, versionName=1) that allows unauthorized attacker-controlled at command via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15433App InstallationSamsungA3Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/a3y17ltedx/a3y17lte:8.0.0/R16NW/A320YDXU4CSB3:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=A3, Version=samsung/a3y17ltedx/a3y17lte:8.0.0/R16NW/A320YDXU4CSB3:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung A3 Android device with a build fingerprint of samsung/a3y17ltedx/a3y17lte:8.0.0/R16NW/A320YDXU4CSB3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15434App InstallationSamsungA5Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/a5y17ltexx/a5y17lte:8.0.0/R16NW/A520FXXS8CSC5:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=A5, Version=samsung/a5y17ltexx/a5y17lte:8.0.0/R16NW/A520FXXS8CSC5:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung A5 Android device with a build fingerprint of samsung/a5y17ltexx/a5y17lte:8.0.0/R16NW/A520FXXS8CSC5:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15435App InstallationSamsungA7Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/a7y17ltexx/a7y17lte:8.0.0/R16NW/A720FXXU7CSC2:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=A7, Version=samsung/a7y17ltexx/a7y17lte:8.0.0/R16NW/A720FXXU7CSC2:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung A7 Android device with a build fingerprint of samsung/a7y17ltexx/a7y17lte:8.0.0/R16NW/A720FXXU7CSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15436App InstallationSamsungA8+Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/jackpot2ltexx/jackpot2lte:8.0.0/R16NW/A730FXXS4BSC2:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=A8+, Version=samsung/jackpot2ltexx/jackpot2lte:8.0.0/R16NW/A730FXXS4BSC2:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung A8+ Android device with a build fingerprint of samsung/jackpot2ltexx/jackpot2lte:8.0.0/R16NW/A730FXXS4BSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15437App InstallationSamsungXCover4Exploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/xcover4ltexx/xcover4lte:8.1.0/M1AJQ/G390FXXU3BSA2:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=XCover4, Version=samsung/xcover4ltexx/xcover4lte:8.1.0/M1AJQ/G390FXXU3BSA2:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltexx/xcover4lte:8.1.0/M1AJQ/G390FXXU3BSA2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app
CVE-2019-15438App InstallationSamsungXCover4Exploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=XCover4, Version=samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15439App InstallationSamsungXCover4Exploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=XCover4, Version=samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung XCover4 Android device with a build fingerprint of samsung/xcover4ltedo/xcover4lte:8.1.0/M1AJQ/G390YDXU2BSA1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15440App InstallationSamsungJ5Exploitable by system or signature appcom.samsung.android.themecenter60100006.1.0.08.0.0samsung/on5xeltedx/on5xelte:8.0.0/R16NW/G570YDXU2CRL1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J5, Version=samsung/on5xeltedx/on5xelte:8.0.0/R16NW/G570YDXU2CRL1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 6.1.0.0 and version code of 6010000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J5 Android device with a build fingerprint of samsung/on5xeltedx/on5xelte:8.0.0/R16NW/G570YDXU2CRL1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15441App InstallationSamsungon7xeltelgtExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/on7xeltelgt/on7xeltelgt:8.1.0/M1AJQ/G610LKLU2CSB1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=on7xeltelgt, Version=samsung/on7xeltelgt/on7xeltelgt:8.1.0/M1AJQ/G610LKLU2CSB1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung on7xeltelgt Android device with a build fingerprint of samsung/on7xeltelgt/on7xeltelgt:8.1.0/M1AJQ/G610LKLU2CSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15442App InstallationSamsungon7xeltesktExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/on7xelteskt/on7xelteskt:8.1.0/M1AJQ/G610SKSU2CSB1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=on7xelteskt, Version=samsung/on7xelteskt/on7xelteskt:8.1.0/M1AJQ/G610SKSU2CSB1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung on7xelteskt Android device with a build fingerprint of samsung/on7xelteskt/on7xelteskt:8.1.0/M1AJQ/G610SKSU2CSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15443App InstallationSamsungJ7 MaxExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7maxlteins/j7maxlte:8.1.0/M1AJQ/G615FXXU2BSB1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Max, Version=samsung/j7maxlteins/j7maxlte:8.1.0/M1AJQ/G615FXXU2BSB1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Max Android device with a build fingerprint of samsung/j7maxlteins/j7maxlte:8.1.0/M1AJQ/G615FXXU2BSB1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15444App InstallationSamsungS7Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=S7, Version=samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung S7 Android device with a build fingerprint of samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15445App InstallationSamsungS7Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=S7, Version=samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung S7 Android device with a build fingerprint of samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15446App InstallationSamsungS7Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXU3ESAC:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=S7, Version=samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXU3ESAC:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung S7 Android device with a build fingerprint of samsung/heroltexx/herolte:8.0.0/R16NW/G930FXXU3ESAC:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15447App InstallationSamsungS7 EdgeExploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=S7 Edge, Version=samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung S7 Edge Android device with a build fingerprint of samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15448App InstallationSamsungS7 EdgeExploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=S7 Edge, Version=samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung S7 Edge Android device with a build fingerprint of samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15449App InstallationSamsungS7 EdgeExploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=S7 Edge, Version=samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung S7 Edge Android device with a build fingerprint of samsung/hero2ltexx/hero2lte:8.0.0/R16NW/G935FXXS4ESC3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15450App InstallationSamsungj3popeltecanExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j3popeltevl/j3popeltecan:8.1.0/M1AJQ/J327WVLS3BSA2:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=j3popeltecan, Version=samsung/j3popeltevl/j3popeltecan:8.1.0/M1AJQ/J327WVLS3BSA2:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung j3popeltecan Android device with a build fingerprint of samsung/j3popeltevl/j3popeltecan:8.1.0/M1AJQ/J327WVLS3BSA2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15451App InstallationSamsungJ3Exploitable by system or signature appcom.samsung.android.themecenter60100006.1.0.08.0.0samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J3, Version=samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 6.1.0.0 and version code of 6010000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J3 Android device with a build fingerprint of samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15452App InstallationSamsungJ3Exploitable by system or signature appcom.samsung.android.themecenter60100006.1.0.08.0.0samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J3, Version=samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 6.1.0.0 and version code of 6010000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J3 Android device with a build fingerprint of samsung/j3y17ltedx/j3y17lte:8.0.0/R16NW/J330GDXS3BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=6010000, versionName=6.1.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15453App InstallationSamsungJ4Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBS2ASC2:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J4, Version=samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBS2ASC2:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J4 Android device with a build fingerprint of samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBS2ASC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15454App InstallationSamsungJ4Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBU2ARL4:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J4, Version=samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBU2ARL4:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J4 Android device with a build fingerprint of samsung/j4lteub/j4lte:8.0.0/R16NW/J400MUBU2ARL4:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15455App InstallationSamsungJ5Exploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j5y17ltexx/j5y17lte:8.1.0/M1AJQ/J530FXXU3BRL1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J5, Version=samsung/j5y17ltexx/j5y17lte:8.1.0/M1AJQ/J530FXXU3BRL1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J5 Android device with a build fingerprint of samsung/j5y17ltexx/j5y17lte:8.1.0/M1AJQ/J530FXXU3BRL1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15456App InstallationSamsungJ6Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J6, Version=samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J6 Android device with a build fingerprint of samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15457App InstallationSamsungJ6Exploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J6, Version=samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J6 Android device with a build fingerprint of samsung/j6ltexx/j6lte:8.0.0/R16NW/J600FNXXU3ASC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15458App InstallationSamsungJ7 NeoExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXXS6BSC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Neo, Version=samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXXS6BSC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Neo Android device with a build fingerprint of samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXXS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15459App InstallationSamsungJ7 NeoExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB3:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Neo, Version=samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB3:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Neo Android device with a build fingerprint of samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB3:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15460App InstallationSamsungJ7 NeoExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXVS6BSC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Neo, Version=samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXVS6BSC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Neo Android device with a build fingerprint of samsung/j7veltedx/j7velte:8.1.0/M1AJQ/J701FXVS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15461App InstallationSamsungJ7 NeoExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB4:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Neo, Version=samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB4:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Neo Android device with a build fingerprint of samsung/j7velteub/j7velte:8.1.0/M1AJQ/J701MUBS6BSB4:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15462App InstallationSamsungJ7 DuoExploitable by system or signature appcom.samsung.android.themecenter70000007.0.0.08.0.0samsung/j7duolteub/j7duolte:8.0.0/R16NW/J720MUBS3ASB2:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Duo, Version=samsung/j7duolteub/j7duolte:8.0.0/R16NW/J720MUBS3ASB2:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.0.0 and version code of 7000000.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Duo Android device with a build fingerprint of samsung/j7duolteub/j7duolte:8.0.0/R16NW/J720MUBS3ASB2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000000, versionName=7.0.0.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15463App InstallationSamsungj7popeltemtrExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7popeltemtr/j7popeltemtr:8.1.0/M1AJQ/J727T1UVS5BSC2:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=j7popeltemtr, Version=samsung/j7popeltemtr/j7popeltemtr:8.1.0/M1AJQ/J727T1UVS5BSC2:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung j7popeltemtr Android device with a build fingerprint of samsung/j7popeltemtr/j7popeltemtr:8.1.0/M1AJQ/J727T1UVS5BSC2:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15464App InstallationSamsungJ7 ProExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7y17lteub/j7y17lte:8.1.0/M1AJQ/J730GUBS6BSC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Pro, Version=samsung/j7y17lteub/j7y17lte:8.1.0/M1AJQ/J730GUBS6BSC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Pro Android device with a build fingerprint of samsung/j7y17lteub/j7y17lte:8.1.0/M1AJQ/J730GUBS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15465App InstallationSamsungJ7 ProExploitable by system or signature appcom.samsung.android.themecenter70001007.0.1.08.1.0samsung/j7y17lteubm/j7y17lte:8.1.0/M1AJQ/J730GMUBS6BSC1:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Samsung

Affected product: Product=J7 Pro, Version=samsung/j7y17lteubm/j7y17lte:8.1.0/M1AJQ/J730GMUBS6BSC1:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.samsung.android.themecenter having a version name of 7.0.1.0 and version code of 7000100.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Samsung J7 Pro Android device with a build fingerprint of samsung/j7y17lteubm/j7y17lte:8.1.0/M1AJQ/J730GMUBS6BSC1:user/release-keys contains a pre-installed app with a package name of com.samsung.android.themecenter app (versionCode=7000100, versionName=7.0.1.0) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15416App InstallationSonykeyaki_kddiExploitable by system or signature appcom.kddi.android.packageinstaller7000808.10.037.1.1Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Sony

Affected product: Product=keyaki_kddi, Version=Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.kddi.android.packageinstaller having a version name of 08.10.03 and version code of 70008.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Sony keyaki_kddi Android device with a build fingerprint of Sony/keyaki_kddi/keyaki_kddi:7.1.1/TONE3-3.0.0-KDDI-170517-0326/1:user/dev-keys contains a pre-installed app with a package name of com.kddi.android.packageinstaller app (versionCode=70008, versionName=08.10.03) that allows other pre-installed apps to perform app installation via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that exported their capabilities to other pre-installed app.
CVE-2019-15743Audio RecordingSonyXperia TouchExploitable by local appcom.sonymobile.android.maintenancetool.testmic247.07Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Sony

Affected product: Product=Xperia Touch, Version=Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.sonymobile.android.maintenancetool.testmic having a version name of 7.0 and version code of 24.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.sonymobile.android.maintenancetool.testmic to obtain a capability that would otherwise require a permission.

Description: The Sony Xperia Touch Android device with a build fingerprint of Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys contains a pre-installed app with a package name of com.sonymobile.android.maintenancetool.testmic app (versionCode=24, versionName=7.0) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record audio to external storage.
CVE-2019-15744Wireless Settings ModificationSonyXperia XZsExploitable by local appjp.softbank.mb.tdrl14130051.3.07.1.1Sony/keyaki_softbank/keyaki_softbank:7.1.1/TONE3-3.0.0-SOFTBANK-170517-0323/1:user/dev-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Sony

Affected product: Product=Xperia XZs, Version=Sony/keyaki_softbank/keyaki_softbank:7.1.1/TONE3-3.0.0-SOFTBANK-170517-0323/1:user/dev-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of jp.softbank.mb.tdrl having a version name of 1.3.0 and version code of 1413005.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of jp.softbank.mb.tdrl to obtain a capability that would otherwise require a permission.

Description: The Sony Xperia Xperia XZs Android device with a build fingerprint of Sony/keyaki_softbank/keyaki_softbank:7.1.1/TONE3-3.0.0-SOFTBANK-170517-0323/1:user/dev-keys contains a pre-installed app with a package name of jp.softbank.mb.tdrl app (versionCode=1413005, versionName=1.3.0) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15371System Properties ModificationSymphonyG100Exploitable by local appcom.mediatek.wfo.impl278.1.08.0.0Symphony/G100/G100:8.1.0/O11019/1530618779:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Symphony

Affected product: Product=Symphony G100, Version=Symphony/G100/G100:8.1.0/O11019/1530618779:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Symphony G100 Android device with a build fingerprint of Symphony/G100/G100:8.1.0/O11019/1530618779:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15373System Properties ModificationSymphonyi95Exploitable by local appcom.mediatek.wfo.impl278.1.08.0.0Symphony/i95/i95:8.1.0/O11019/1536929227:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Symphony

Affected product: Product=Symphony i95, Version=Symphony/i95/i95:8.1.0/O11019/1536929227:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Symphony i95 Lite Android device with a build fingerprint of Symphony/i95/i95:8.1.0/O11019/1536929227:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15341Dynamic Code LoadingTecnoCamon iAir 2 PlusExploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iAir 2 Plus, Version=TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keys

Attack type: Local

Impact: Escalation of Privileges, Code Execution

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., providing the path to a Dalvik Executable (DEX) file that will be dynamically loaded and executed by a process executing as the system user). The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon iAir 2 Plus Android device with a build fingerprint of TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.service.FunctionService that allows any app co-located on the device to supply the file path to a Dalvik Executable (DEX) file which it will dynamically load within its own process and execute in with its own system privileges. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing code as the system user can allow a third-party app to factory reset the device, obtain the user’s Wi-Fi passwords, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15342Command ExecutionTecnoCamon iAir 2 PlusExploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iAir 2 Plus, Version=TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attacker first interacts with the component to provide a path to a shell script and then can select a keyword which, when it appears in the logcat log, will then execute the shell script. The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon iAir 2 Plus Android device with a build fingerprint of TECNO/H622/TECNO-ID3k:8.1.0/O11019/E-180914V83:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands via shell script to be executed as the system user that are triggered by writing an attacker-selected message to the logcat log. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15343Command ExecutionTecnoCamon iClickExploitable by local appcom.lovelyfont.defcontainer77.0.88.0.0TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iClick, Version=TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attacker first interacts with the component to provide a path to a shell script and then can select a keyword which, when it appears in the logcat log, will then execute the shell script. The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands via shell script to be executed as the system user that are triggered by writing an attacker-selected message to the logcat log. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15344Command ExecutionTecnoCamon iClickExploitable by local appcom.lovelyfont.defcontainer77.0.88.0.0TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iClick, Version=TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys

Attack type: Context-Dependent

Impact: Escalation of Privileges

Affected component: A pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8) containing an exported service app component named com.lovelyfont.manager.FontCoverService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attack app is a malicious app without malicious permissions. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app.

Description: The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. In addition to the local attack surface, its accompanying app with a package name of com.ekesoo.lovelyhifonts makes network requests using HTTP and an attacker can perform a Man-in-the-Middle (MITM) attack on the connection to inject a command in a network response that will be executed as the system user by the com.lovelyfont.defcontainer app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15345Dynamic Code LoadingTecnoCamon iClickExploitable by local appcom.lovelyfont.defcontainer77.0.88.0.0TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iClick, Version=TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys

Attack type: Local

Impact: Escalation of Privileges, Code Execution

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., providing the path to a Dalvik Executable (DEX) file that will be dynamically loaded and executed by a process executing as the system user). The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.8). This app contains an exported service named com.lovelyfont.manager.service.FunctionService that allows any app co-located on the device to supply the file path to a Dalvik Executable (DEX) file which it will dynamically load within its own process and execute in with its own system privileges. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing code as the system user can allow a third-party app to factory reset the device, obtain the user’s Wi-Fi passwords, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15346Dynamic Code LoadingTecnoCamon iClick 2Exploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iClick 2, Version=TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys

Attack type: Local

Impact: Escalation of Privileges, Code Execution

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., providing the path to a Dalvik Executable (DEX) file that will be dynamically loaded and executed by a process executing as the system user). The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon iClick 2 Android device with a build fingerprint of TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.service.FunctionService that allows any app co-located on the device to supply the file path to a Dalvik Executable (DEX) file which it will dynamically load within its own process and execute in with its own system privileges. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing code as the system user can allow a third-party app to factory reset the device, obtain the user’s Wi-Fi passwords, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15347Command ExecutionTecnoCamon iClick 2Exploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iClick 2, Version=TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attacker first interacts with the component to provide a path to a shell script and then can select a keyword which, when it appears in the logcat log, will then execute the shell script. The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon iClick 2 Android device with a build fingerprint of TECNO/H622/TECNO-ID6:8.1.0/O11019/F-180824V116:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands via shell script to be executed as the system user that are triggered by writing an attacker-selected message to the logcat log. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15348Command ExecutionTecnoCamonExploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon, Version=TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attacker first interacts with the component to provide a path to a shell script and then can select a keyword which, when it appears in the logcat log, will then execute the shell script. The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon Android device with a build fingerprint of TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands via shell script to be executed as the system user that are triggered by writing an attacker-selected message to the logcat log. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15349Dynamic Code LoadingTecnoCamonExploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon, Version=TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., providing the path to a Dalvik Executable (DEX) file that will be dynamically loaded and executed by a process executing as the system user). The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon Android device with a build fingerprint of TECNO/H612/TECNO-ID5a:8.1.0/O11019/F-180828V106:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.service.FunctionService that allows any app co-located on the device to supply the file path to a Dalvik Executable (DEX) file which it will dynamically load within its own process and execute in with its own system privileges. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing code as the system user can allow a third-party app to factory reset the device, obtain the user’s Wi-Fi passwords, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15350Dynamic Code LoadingTecnoCamonExploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon, Version=TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., providing the path to a Dalvik Executable (DEX) file that will be dynamically loaded and executed by a process executing as the system user). The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon Android device with a build fingerprint of TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.service.FunctionService that allows any app co-located on the device to supply the file path to a Dalvik Executable (DEX) file which it will dynamically load within its own process and execute in with its own system privileges. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing code as the system user can allow a third-party app to factory reset the device, obtain the user’s Wi-Fi passwords, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15351Command ExecutionTecnoCamonExploitable by local appcom.lovelyfont.defcontainer77.0.118.0.0TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon, Version=TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keys

Attack type: Local

Impact: Escalation of Privileges, Code Execution

Affected component: A pre-installed platform app that has with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11) containing an exported service app component named com.lovelyfont.manager.service.FunctionService.

Attack vector: The attack vector is a third-party app co-located on the device that does not require any permissions and interacts with an exported service app component of an app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). The malicious app can reach the device via app repackaging, phishing, trojanized app, or remote exploit. By leveraging an open interface of the com.lovelyfont.defcontainer app, the malicious app can utilize a capability that is not directly available to third-party apps (i.e., executing arbitrary commands as the system user via an unprotected app component of a platform app). The attacker first interacts with the component to provide a path to a shell script and then can select a keyword which, when it appears in the logcat log, will then execute the shell script. The attack app is a malicious app without malicious permissions.

Description: The Tecno Camon Android device with a build fingerprint of TECNO/H622/TECNO-ID5b:8.1.0/O11019/G-180829V31:user/release-keys contains a pre-installed platform app with a package name of com.lovelyfont.defcontainer (versionCode=7, versionName=7.0.11). This app contains an exported service named com.lovelyfont.manager.FontCoverService that allows any app co-located on the device to supply arbitrary commands via shell script to be executed as the system user that are triggered by writing an attacker-selected message to the logcat log. This app cannot be disabled by the user and the attack can be performed by a zero-permission app. Executing commands as the system user can allow a third-party app to video record the user’s screen, factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the Graphical User Interface (GUI), and obtains the user’s text messages, and more. Executing commands as the system user can allow a third-party app to factory reset the device, obtain the user’s notifications, read the logcat logs, inject events in the GUI, change the default Input Method Editor (IME) (e.g., keyboard) with one contained within the attacking app that contains keylogging functionality, and obtains the user’s text messages, and more.
CVE-2019-15355System Properties ModificationTecnoCamon iClickExploitable by local appcom.mediatek.wfo.impl278.1.08.0.0TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Tecno Camon iClick, Version=TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Tecno Camon iClick Android device with a build fingerprint of TECNO/H633/TECNO-IN6:8.1.0/O11019/A-180409V96:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15417Dynamic Code LoadingTecnoSpark ProExploitable by local appcom.lovelyfont.defcontainer77.0.57TECNO/H3722/TECNO-K8:7.0/NRD90M/K8-H3722ABCDE-N-171229V96:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Tecno

Affected product: Product=Spark Pro, Version=TECNO/H3722/TECNO-K8:7.0/NRD90M/K8-H3722ABCDE-N-171229V96:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.lovelyfont.defcontainer having a version name of 7.0.5 and version code of 7.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.lovelyfont.defcontainer to obtain a capability that would otherwise require a permission.

Description: The Tecno Spark Pro Android device with a build fingerprint of TECNO/H3722/TECNO-K8:7.0/NRD90M/K8-H3722ABCDE-N-171229V96:user/release-keys contains a pre-installed app with a package name of com.lovelyfont.defcontainer app (versionCode=7, versionName=7.0.5) that allows unauthorized dynamic code loading via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15354System Properties ModificationUlefoneArmor 5Exploitable by local appcom.mediatek.wfo.impl278.1.08.1Ulefone/Ulefone_Armor_5/Ulefone_Armor_5:8.1.0/O11019/1528806701:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Ulefone

Affected product: Product=Ulefone Armor 5, Version=Ulefone/Ulefone_Armor_5/Ulefone_Armor_5:8.1.0/O11019/1528806701:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Ulefone Armor 5 Android device with a build fingerprint of Ulefone/Ulefone_Armor_5/Ulefone_Armor_5:8.1.0/O11019/1528806701:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15379System Properties ModificationWaltonPrimo GM3Exploitable by local appcom.mediatek.wfo.impl278.1.08.0.0WALTON/Primo_GM3/Primo_GM3:8.1.0/O11019/1522737198:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Walton

Affected product: Product=Walton Primo GM3, Version=WALTON/Primo_GM3/Primo_GM3:8.1.0/O11019/1522737198:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.mediatek.wfo.impl with a version name of 8.1.0 and version code of 27.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.mediatek.wfo.impl to obtain a capability that a third-party app cannot directly be granted.

Description: The Walton Primo G3 Android device with a build fingerprint of WALTON/Primo_GM3/Primo_GM3:8.1.0/O11019/1522737198:user/release-keys contains a pre-installed app with a package name of com.mediatek.wfo.impl app (versionCode=27, versionName=8.1.0) that allows any app co-located on the device to modify a system property through an exported interface without proper authorization.
CVE-2019-15340Wireless Settings ModificationXiaomiRedmi 6 ProExploitable by local appcom.huaqin.factory1QL1715_2018052920068.1xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Redmi 6 Pro, Version=xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.huaqin.factory with a version name of QL1715_201805292006 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.huaqin.factory to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V9.6.4.0.ODMMIFD:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201805292006) that allows any app co-located on the device to programmatically disable and enable Wi-Fi, Bluetooth, and GPS without the corresponding access permission through an exported interface.
CVE-2019-15415Wireless Settings ModificationXiaomiRedmi 5Exploitable by local appcom.huaqin.factory1QL1711_2018032916457.1.2xiaomi/vince/vince:7.1.2/N2G47H/V9.5.4.0.NEGMIFA:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Redmi 5, Version=xiaomi/vince/vince:7.1.2/N2G47H/V9.5.4.0.NEGMIFA:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.huaqin.factory having a version name of QL1711_201803291645 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.huaqin.factory to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Redmi 5 Android device with a build fingerprint of xiaomi/vince/vince:7.1.2/N2G47H/V9.5.4.0.NEGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1711_201803291645) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15426Wireless Settings ModificationXiaomi5S PlusExploitable by local appcom.miui.powerkeeper400004.0.006Xiaomi/natrium/natrium:6.0.1/MXB48T/7.1.5:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=5S Plus, Version=Xiaomi/natrium/natrium:6.0.1/MXB48T/7.1.5:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.miui.powerkeeper having a version name of 4.0.00 and version code of 40000.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.miui.powerkeeper to obtain a capability that would otherwise require a permission.

Description: The Xiaomi 5S Plus Android device with a build fingerprint of Xiaomi/natrium/natrium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15427Wireless Settings ModificationXiaomiMi MixExploitable by local appcom.miui.powerkeeper400004.0.006Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi Mix, Version=Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.miui.powerkeeper having a version name of 4.0.00 and version code of 40000.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.miui.powerkeeper to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Mi Mix Android device with a build fingerprint of Xiaomi/lithium/lithium:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15428Wireless Settings ModificationXiaomiMi Note 2Exploitable by local appcom.miui.powerkeeper400004.0.006Xiaomi/scorpio/scorpio:6.0.1/MXB48T/7.1.5:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi Note 2, Version=Xiaomi/scorpio/scorpio:6.0.1/MXB48T/7.1.5:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.miui.powerkeeper having a version name of 4.0.00 and version code of 40000.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.miui.powerkeeper to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Mi Note 2 Android device with a build fingerprint of Xiaomi/scorpio/scorpio:6.0.1/MXB48T/7.1.5:user/release-keys contains a pre-installed app with a package name of com.miui.powerkeeper app (versionCode=40000, versionName=4.0.00) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15466Wireless Settings ModificationXiaomiRedmi 6 ProExploitable by local appcom.huaqin.factory1QL1715_2018121917218.1.0xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V10.2.6.0.ODMMIXM:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Redmi 6 Pro, Version=xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V10.2.6.0.ODMMIXM:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.huaqin.factory having a version name of QL1715_201812191721 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.huaqin.factory to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Redmi 6 Pro Android device with a build fingerprint of xiaomi/sakura_india/sakura_india:8.1.0/OPM1.171019.019/V10.2.6.0.ODMMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812191721) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15467Wireless Settings ModificationXiaomiMi Mix 2SExploitable by local appcom.huaqin.factory1A2060_2018010320538.0.0Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi Mix 2S, Version=Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.huaqin.factory having a version name of A2060_201801032053 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.huaqin.factory to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=A2060_201801032053) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15468Wireless Settings ModificationXiaomiMi A2 LiteExploitable by local appcom.huaqin.factory1QL1715_2018120719539xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi A2 Lite, Version=xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.huaqin.factory having a version name of QL1715_201812071953 and version code of 1.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.huaqin.factory to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device.
CVE-2019-15469Microphone Audio RecordingXiaomiMi Pad 4Exploitable by system or signature appcom.qualcomm.qti.callenhancement278.1.08.1.0Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi Pad 4, Version=Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qualcomm.qti.callenhancement having a version name of 8.1.0 and version code of 27.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Xiaomi Mi Pad 4 Android device with a build fingerprint of Xiaomi/clover/clover:8.1.0/OPM1.171019.019/V9.6.26.0.ODJCNFD:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage.
CVE-2019-15470Microphone Audio RecordingXiaomiRedmi Note 6 ProExploitable by system or signature appcom.qualcomm.qti.callenhancement278.1.08.1.0xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Redmi Note 6 Pro, Version=xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qualcomm.qti.callenhancement having a version name of 8.1.0 and version code of 27.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Xiaomi Redmi Note 6 Pro Android device with a build fingerprint of xiaomi/tulip/tulip:8.1.0/OPM1.171019.011/V10.2.2.0.OEKMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage.
CVE-2019-15471Microphone Audio RecordingXiaomiMi Mix 2SExploitable by system or signature appcom.qualcomm.qti.callenhancement278.1.08.0.0Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi Mix 2S, Version=Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qualcomm.qti.callenhancement having a version name of 8.1.0 and version code of 27.

Attack vector: Any pre-installed system app can be granted a signatureOrSystem permission and call other pre-installed app components that are guarded with these permissions, whether the calling app is signed by the same vendor or not, whether vetted or not, potentially bypassing the security boundaries set by the Android OS.

Description: The Xiaomi Mi Mix 2S Android device with a build fingerprint of Xiaomi/polaris/polaris:8.0.0/OPR1.170623.032/V9.5.19.0.ODGMIFA:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=27, versionName=8.1.0) that allows other pre-installed apps to perform microphone audio recording via an accessible app component. This capability can be accessed by any pre-installed app on the device which can obtain signatureOrSystem permissions that are required by other other pre-installed apps that export their capabilities to other pre-installed app. This app allows a third-party app to use its open interface to record telephone calls to external storage.
CVE-2019-15472Microphone Audio RecordingXiaomiMi A2 LiteExploitable by local appcom.qualcomm.qti.callenhancement2899xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi A2 Lite, Version=xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qualcomm.qti.callenhancement having a version name of 9 and version code of 28.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.qualcomm.qti.callenhancement to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage.
CVE-2019-15473Microphone Audio RecordingXiaomiMi A2 LiteExploitable by local appcom.qualcomm.qti.callenhancement2899xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi A2 Lite, Version=xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qualcomm.qti.callenhancement having a version name of 9 and version code of 28.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.qualcomm.qti.callenhancement to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage.
CVE-2019-15474Microphone Audio RecordingXiaomiCepheusExploitable by local appcom.qualcomm.qti.callenhancement2899Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Cepheus, Version=Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qualcomm.qti.callenhancement having a version name of 9 and version code of 28.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.qualcomm.qti.callenhancement to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage.
CVE-2019-15475Microphone Audio RecordingXiaomiMi A3Exploitable by local appcom.qualcomm.qti.callenhancement2899xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keysVulnerability Type: Incorrect Access Control

Vendor of the product: Xiaomi

Affected product: Product=Mi A3, Version=xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys

Attack type: Local

Impact: Escalation of Privileges

Affected component: Pre-installed app with a package name of com.qualcomm.qti.callenhancement having a version name of 9 and version code of 28.

Attack vector: Any app co-located on the device can interact with an exported app component of the app with a package name of com.qualcomm.qti.callenhancement to obtain a capability that would otherwise require a permission.

Description: The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage.

DISCLAIMER

This work was supported by the Department of Homeland Security (DHS) Science and Technology (S&T). The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DHS.