Android Device Vulnerability in Tecno Camon iClick due to Exported Service
CVE-2019-15343

7.8HIGH

Key Information:

Vendor: Tecno-mobile
Status: Camon Iclick Firmware
Vendor: CVE Published:; 14 November 2019

Summary

The Tecno Camon iClick Android device has a significant flaw due to a pre-installed platform app that exposes an exported service. This vulnerability permits any co-located application on the device to execute arbitrary shell commands as the system user. By writing specific messages to the logcat log, attackers can trigger severe actions such as recording the user's screen, conducting factory resets, accessing notifications, reading logcat logs, and even reading text messages. Importantly, this process can occur through zero-permission apps and cannot be disabled by the user, posing a critical risk to user privacy and device integrity.

References

https://www.kryptowire.com/android-firmware-2019/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2019
Vulnerability Reserved
Aug 22, 2019