Android Device Vulnerability in Tecno Camon iClick by Tecno
CVE-2019-15345

7.8HIGH

Key Information:

Vendor: Tecno-mobile
Status: Camon Iclick Firmware
Vendor: CVE Published:; 14 November 2019

Summary

The Tecno Camon iClick features a critical vulnerability due to an exported service within a pre-installed app that allows any co-located application to dynamically load and execute a Dalvik Executable (DEX) file with system-level permissions. This weakness can be exploited by unprivileged applications, enabling them to perform a wide array of malicious activities such as video recording the screen, factory resetting the device, accessing sensitive notifications, reading log files, and intercepting personal messages. The downside of this vulnerability is that the pre-installed app cannot be disabled by users, significantly increasing the risk of unauthorized monitoring and control over the device.

References

https://www.kryptowire.com/android-firmware-2019/

x_refsource_MISC

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 14, 2019
Vulnerability Reserved
Aug 22, 2019